MindSphere Remote Service: Setting Things Up - Users and Access¶
Within this section we outline how to create regional sub-organizations, which will then contain Sites, which in turn represent Device Networks and their Devices. Next, we grant respective MRS-specific user rights to selected users as outlined in the process sketch below.
Note: The setup and configuration of this documentation's reference tenant, its users, Sites and Devices can be found in chapter Sample setup used in documentation.
Note: other than VPNs, which were designed for 1:1 connectivity, MRS supports many:many connectivity. In such a setup two or more business partners and their networks maybe involved. Thus it is important, to set the access rights accordingly to avoid unwanted mutual access as suggested by below sketch assuming one Service Provider (or OEM) servicing two Machine Operators and the devices in their respective Device Networks.
Example: Administrator creates a Regional Sub-Organization¶
As outlined in section Concepts used in MRS and desribed in the setup of the sample setup used in this documentation the topmost adminstrative level of an Organization, that purchased MRS, is the tenant's "root node". Below that there may be multiple sub-organizations (so-called Regional Tenants) and eventually Sites, which comprise Devices you want to connect to.
We will start with creating a Regional Tenant named Europe using MRS V1. So the tenant administrator opens the tile "Structure Management".
The context menu shows the different options - please select "Add New".
Provide the name Europe and click "add to tree".
The Regional Tenant Europe is now available in the MRS tree structure on the left of your screen. Further Regional Tenants may be added in a smilar way.
Example: Administrator creates a Site representing a Device Network¶
Next any tenant administrator creates a Site Munich within the already available Regional Tenant Europe. Select this Regional Tenant and click "Add Site" in the top right corner of this MRS screen.
Fill-in the mandatory or optional Site information and finalize this setup step with button "Save".
Example: Administrator registers a Device with a Site¶
Select Site Munich from the tree on the left. Then click "New Device" in the top right corner of this screen's Device section.
The next screen allows you to specify mandatory and optional aspects for the new Device, such as its name IPC m01 or its configuration as Endpoint (or even gateway, see section on Advanced connections) plus further contact or location data.
You may also tag a Device with a Product Type (here: IPC for SCADA), which will be created further down below.
After pressing "Save" the newly created Device IPC m01 is available in the MRS organization tree on the left. If needed, the Device setup may be edited.
Example: Administrator creates a Product Type for access to PC-type Devices¶
Section Concepts used in MRS outlines Product Type, which allows for filtering and access restrictions to Devices tagged with a particular Product Type value. Such setup is done by a tenant administrator within MRS V1 using the tile "Structure Managment" and then navigating to Product Type.
By using the context menu in the Product Type tree you may select "Add New" for creating a new type.
Here we use PC for any app, which we will use later on for tagging registered Devices accordingly.
After pressing "Add to tree" the new Product Type Type PC for any app shows up in the respective tree on the left.
Example: Administrator grants MRS- and Device-specific rights to a registered user¶
Section Concepts used in MRS outlines the MRS-specific roles, that may be assigned to users already registered to the MindSphere tenant to which MRS was deployed. We now assign a user named user.europe with the MRS role of Remote User by using the "User Management" tile on MRS V1 and then switching to the "Users" menu.
After opening or creating the user.europe the function "Associate Roles" allows for assigning MRS-specific roles to that user. Here we select "ng.role.remote_user".
Next, we may assign "Attribute Based Grants" defining which parts of the organizational tree or which Product Types the user.europe may access.
After clicking "Add Organizational Structure" in the previous screen we may specify the organizational sub-tree (here: Europe), which this user may work with. Confirm the setup with the button "Select".
In a similar way we may grant access to Devices, which are tagged with certain Product Types. In this particular case we select PC for any app defined above plus two other ones.
The already updated access rights now show up. In a similar way we assign the MRS specific role ng.role.remote_user.
All access grants related to user.europe now show up in the list of Attribute Based Grants.
Info: If you use MRS V2, you may check a user's MRS-specific rights via the "users" icon in the top left corner.
Note: Please ensure, that users have rights both in MRS V1 and V2.
Example: Administrator grants MRS role of Site Owner plus access rights¶
The MRS role of Site Owner has certain privileges and is important especially for business relationships, where Service Networks and Device Networks may belong to different legal entities. Assignment of this role follows the same approach as outlined above: in MRS V1 the menu "Users" under tile "User Management" is used to select operation "Associate Roles" for the user Owner Munich already existing in the underlying MindSphere tenant.
Next we assign the organization structure, which the user may access via button "Add Organizational Structure".
Then we assign the site Munich under the Regional Tenant (i.e. sub-organization) to the user.
Due to the exposed position a Site Owner needs access to all Devices available in his/her Site. Thus we select all Product Types and click on "Select".
Finally, we assign the role ng.role.site_owner to user Owner Munich.
The overview page displays all grants given to the newly assigned Site Owner known as Owner Munich.