Skip to content

MindSphere Remote Service: Setting Things Up - Users and Access

Within this section we outline how to create regional sub-organizations, which will then contain Sites, which in turn represent Device Networks and their Devices. Next, we grant respective MRS-specific user rights to selected users as outlined in the process sketch below.

Note: The setup and configuration of this documentation's reference tenant, its users, Sites and Devices can be found in chapter sample setup used in documentation.

Setting Up Users and Access Rights

Note: other than VPNs, which were designed for 1:1 connectivity, MRS supports many:many connectivity. In such a setup two or more business partners and their networks maybe involved. Thus it is important, to set the access rights accordingly to avoid unwanted mutual access as suggested by below sketch assuming one Service Provider (or OEM) servicing two Machine Operators and the devices in their respective Device Networks.

Access Right Considerations


Example: Administrator creates a Regional Sub-Organization

As outlined in section Concepts used in MRS and desribed in the setup of the sample setup used in this documentation the topmost administrative level of an organization, that purchased MRS, is the tenant's "root node". Below that there may be multiple sub-organizations (so-called Regional Tenants) and eventually Sites, which comprise Devices you want to connect to.

We will start with creating a Regional Tenant named Europe using MRS V1. So the tenant administrator opens the tile "Structure Management".

Admin creates region Europe

The context menu shows the different options - please select "Add New".

Admin creates region Europe

Provide the name Europe and click "add to tree".

Admin creates region Europe

The Regional Tenant Europe is now available in the MRS tree structure on the left of your screen. Further Regional Tenants may be added in a similar way.

Admin creates Regional Tenant Europe


Example: Administrator creates a Site representing a Device Network

Next any tenant administrator creates a Site Munich within the already available Regional Tenant Europe. Select this Regional Tenant and click "Add Site" in the top right corner of this MRS screen.

Admin creates Site Munich

Fill-in the mandatory or optional Site information and finalize this setup step with button "Save".

Admin creates Site Munich


Example: Administrator registers a Device with a Site

Select Site Munich from the tree on the left. Then click "New Device" in the top right corner of this screen's Device section.

Admin registers Device to Site

The next screen allows you to specify mandatory and optional aspects for the new Device, such as its name IPC m01 or its configuration as Endpoint (or even gateway, see section on Advanced connections) plus further contact or location data.

Admin registers Device to Site

You may also tag a Device with a Product Type (here: IPC for SCADA), which will be created further down below.

Admin registers Device to Site

After pressing "Save" the newly created Device IPC m01 is available in the MRS organization tree on the left. If needed, the Device setup may be edited.

Admin registers Device to Site


Example: Administrator creates a Product Type for access to PC-type Devices

Section Concepts used in MRS outlines Product Type, which allows for filtering and access restrictions to Devices tagged with a particular Product Type value. Such setup is done by a tenant administrator within MRS V1 using the tile "Structure Management" and then navigating to Product Type.

Admin creates Product Type for PCs

By using the context menu in the Product Type tree you may select "Add New" for creating a new type.

Admin creates Product Type for PCs

Here we use PC for any app, which we will use later on for tagging registered Devices accordingly.

Admin creates Product Type for PCs

After pressing "Add to tree" the new Product Type PC for any app shows up in the respective tree on the left.

Admin creates Product Type for PCs


Example: Administrator grants MRS- and Device-specific rights to a registered user

Section Concepts used in MRS outlines the MRS-specific roles, that may be assigned to users already registered to the MindSphere tenant to which MRS was deployed. We now assign a user named user.europe with the MRS role of Remote User by using the "User Management" tile on MRS V1 and then switching to the "Users" menu.

Admin assigns Remote User role

After opening or creating the user.europe the function "Associate Roles" allows for assigning MRS-specific roles to that user. Here we select "ng.role.remote_user".

Admin assigns Remote User role

Next, we may assign "Attribute Based Grants" defining which parts of the organizational tree or which Product Types the user.europe may access.

Admin assigns Remote User role

After clicking "Add Organizational Structure" in the previous screen we may specify the organizational sub-tree (here: Europe), which this user may work with. Confirm the setup with the button "Select".

Admin assigns Remote User role

In a similar way we may grant access to Devices, which are tagged with certain Product Types. In this particular case we select PC for any app defined above plus two other ones.

Admin assigns Remote User role

The already updated access rights now show up. In a similar way we assign the MRS specific role ng.role.remote_user.

Admin assigns Remote User role

All access grants related to user.europe now show up in the list of Attribute Based Grants.

Admin assigns Remote User role

Info: If you use MRS V2, you may check a user's MRS-specific rights via the "users" icon in the top left corner.

Note: Please ensure, that users have rights both in MRS V1 and V2.

Admin assigns Remote User role


Example: Administrator grants MRS role of Site Owner plus access rights

The MRS role of Site Owner has certain privileges and is important especially for business relationships, where Service Networks and Device Networks may belong to different legal entities.
Assignment of this role follows the same approach as outlined above: in MRS V1 the menu "Users" under tile "User Management" is used to select operation "Associate Roles" for the user Owner Munich already existing in the underlying MindSphere tenant.

Admin assigns Site Owner Role

Next we assign the organization structure, which the user may access via the button "Add Organizational Structure".

Admin assigns Site Owner Role

Then we assign the site Munich under the Regional Tenant (i.e. sub-organization) to the user.

Admin assigns Site Owner Role

Due to the exposed position a Site Owner needs access to all Devices available in his/her Site. Thus we select all Product Types and click on "Select".

Admin assigns Site Owner Role

Finally, we assign the role ng.role.site_owner to user Owner Munich.

Admin assigns Site Owner Role

The overview page displays all grants given to the newly assigned Site Owner known as Owner Munich.

Admin assigns Site Owner Role

Any questions left?

Ask the community


Except where otherwise noted, content on this site is licensed under the MindSphere Development License Agreement.


Last update: September 6, 2022