Data access¶
Asset Manager supports using subtenants to isolate assets for customers of a tenant, as well as policy based access control for a fine-grained and flexible access control.
Subtenants¶
A subtenant allows an isolated data view on assets for customers of a tenant. Within the isolated data view, the subtenant users can only view their assets. The subtenant users are able to view all aspects and types of the tenant. Furthermore, the tenant admin is responsible for creating assets for the subtenant or moving some assets from the tenant to the subtenant. A subtenant groups the users that can only access assets that are explicitly assigned to the subtenant. For more information about subtenancy, refer to Using Subtenancy. For the steps to create a subtenant, refer to the Settings documentation.
You can identify subtenants by their label.
The following graphic shows the label of a subtenant in the selection list:
Delete subtenants¶
You can delete a subtenant in Settings or with the Tenant Management Service API. A tenant can delete a subtenant. After the deletion, the subtenant users will no longer have access to that subtenant. The subtenant and the asset structure of the subtenant will still be displayed in the user interface. The tenant can then move or delete the assets.
Example scenario using subtenants¶
A German wind turbine manufacturer sells their products to different wind parks in the country. As an additional product, the manufacturer provides subtenants in their tenant to give the customers access to data of several sensors of the wind turbines.
For this, the tenant admin of the manufacturer creates subtenants for each customer in Settings after selling the product. The customers' employees receive Insights Hub user accounts that are assigned to the sold subtenant. The manufacturer then assigns the asset with the sensor data of the wind turbines to the customers' subtenant. The tenant admin assigns each user of the customer to the created subtenant.
Finally, every subtenant user sees the assigned asset with the sensor data of the wind turbines in Insights Hub.
Policy based access control¶
A policy, at high level, is a mapping of 3 entities namely, subjects, actions, and resources/resource groups. This specifoes, who as a user will get access, which resources will be accessible, and what actions will be allowed on those resources (add, delete, read, write, etc.). Once you have configured and activated policies, users will be able to see only the assets they have access to.
For more information about policy based access control, refer to the Resource Access Management documentation. For the steps to create a policy, refer to the Settings documentation.