Skip to content

Resource Access Management

Idea

Secure Data Sharing (SDS) enables you to create and manage fine-grained access rights. It is based on industry standard paradigm Policy Based Access Control (PBAC), which is an advanced framework to centrally manage permissions on business resources. SDS complements the already existing MindSphere capabilities of access management based on Role Based Access Control (RBAC) framework. SDS encompasses several MindSphere services to solve the fine-grained access needs of enterprises. One of the key backend services is Resource Access Management (RAM), which provides an interface to configure and manage policies for several business objects.

Access

During the first stage of general availability, by default, Secure Data Sharing Policies are not activated in your environment. To gain access, please contact our support team.

User Permissions

Be aware that through enablement of Secure Data Sharing Policies on your environment, all [Standard Users] and [Subtenant Users] lose access to all SDS protected resources. You will have to create policies to grant access again.

For accessing the [Policy Editor] in the [Settings] application, you need to have the respective roles listed in Resource Access Management roles and scopes. By default, these are enabled for users with the role Tenant-Administrator.

Basics

Once RAM is enabled for your environment, by default, all the access to certain resources (Asset, Files, Events, Timeseries data) participating in RAM is denied. An access can then only be granted via policies.

Note

Please note that once RAM is enabled for your environment, it takes up to 1 hour to reflect. Similarly, the requests for Policy quota upgrade also takes up to 1 hour to reflect.

Exceptions

There are some exceptions from this rule: - A user having the role Tenant-Administrator is allowed unrestricted access to all the assets, events, timeseries data of that environment. - A user having the role Data Lake Manager is allowed unrestricted access to all folders and files in [IDL] inside this environment. - A technical user has unrestricted access to all the resources of the environment tenant irrespective of the user is added in Policy.

Policy

A policy, at high level, consists of a mapping of 3 entities namely, [subjects], [actions], and [resources].

A policy describes a given set of subjects and is allowed to perform a given set of actions on a specified set of resources. Set of actions, and resources are bound by a rule, and a policy can have multiple rules. These various terms used are explained below.

Since a policy always grants access and has no provision to deny access, overlapping policies, where the same user may have access granted via multiple policies, have no impact.

A policy can be deactivated any time, and policy is bound to the environment.

To understand Policy schema in detail, please refer Resource Access Management API Specification.

Limits

There are certain limits on the amount of policies and few internal objects within a policy. These are listed in Policy Limits

Known Issues

For any known issues, refer Known Issues.

Any questions left?

Ask the community


Except where otherwise noted, content on this site is licensed under the MindSphere Development License Agreement.


Last update: July 29, 2022