Remote Services: Setup Users and Access¶
Within this section we outline how to create regional sub-organizations, which will then contain Sites, which in turn represent Device Networks and their Devices. Next, we grant respective RS-specific user rights to selected users as outlined in the process sketch below.
The setup and configuration of this documentation's reference tenant, its users, Sites and Devices can be found in chapter Sample Setup.
Other than VPNs, which were designed for 1:1 connectivity, RS supports many:many connectivity. In such a setup two or more business partners and their networks maybe involved. Thus it is important, to set the access rights accordingly to avoid unwanted mutual access as suggested by below sketch assuming one Service Provider (or OEM) servicing two Machine Operators and the devices in their respective Device Networks.
Example: Administrator Creates a Regional Sub-Organization¶
As outlined in chapter Concepts Used and desribed in chapter Sample Setup the topmost administrative level of an organization, that purchased RS, is the tenant's "root node". Below that there may be multiple sub-organizations (so-called Regional Tenants) and eventually Sites, which comprise Devices remote users or apps want to connect to.
We will start with creating a Regional Tenant named Europe using RS UI V1. So the tenant administrator opens the tile "Structure Management".
The context menu shows the different options - please select "Add New".
Provide the name Europe and click "add to tree".
The Regional Tenant Europe is now available in the RS tree structure on the left of your screen. Further Regional Tenants may be added in a similar way.
Example: Administrator Creates a Site Representing a Device Network¶
Next, any tenant administrator creates a Site Munich within the already available Regional Tenant Europe. Select this Regional Tenant and click "Add Site" in the top right corner of this RS screen.
Fill-in the mandatory or optional Site information and finalize this setup step with button "Save".
Example: Administrator Registers a Device with a Site¶
Select Site Munich from the tree on the left. Then click "New Device" in the top right corner of this screen's Device section.
The next screen allows you to specify mandatory and optional aspects for the new Device, such as its name IPC m01 or its configuration as Endpoint (or even gateway, see chapter on Advanced Connections) plus further contact or location data.
You may also tag a Device with a Product Type (here: IPC for SCADA), which will be created further down below.
After pressing "Save" the newly created Device IPC m01 is available in the RS organization tree on the left. If needed, the Device setup may be edited.
Example: Administrator Creates a Product Type for Tagging PC-type Devices¶
Section Concepts Used outlines the Product Type approach, which allows for filtering and access restrictions to Devices tagged with a particular Product Type value. Such setup is done by a tenant administrator within RS UI V1 using the tile "Structure Management" and then navigating to Product Type.
By using the context menu in the Product Type tree you may select "Add New" for creating a new type.
Here we use PC for any app, which we will use later on for tagging registered Devices accordingly.
After pressing "Add to tree" the new Product Type PC for any app shows up in the respective tree on the left.
Example: Administrator Grants Roles and Device-Specific Rights to a Registered User¶
Section Concepts Used outlines the RS-specific roles, that may be assigned to users already registered to the Siemens cloud tenant to which RS was deployed. We now assign a user named user.europe with the RS role of Remote User by using the "User Management" tile on RS UI V1 and then switching to the "Users" menu.
After opening or creating the user.europe the function "Associate Roles" allows for assigning RS-specific roles to that user. Here we select "ng.role.remote_user".
Next, we may assign "Attribute Based Grants" defining which parts of the organizational tree or which Product Types the user.europe may access.
After clicking "Add Organizational Structure" in the previous screen we may specify the organizational sub-tree (here: Europe), which this user may work with. Confirm the setup with the button "Select".
In a similar way we may grant access to Devices, which are tagged with certain Product Types. In this particular case we select PC for any app defined above plus two other ones.
The already updated access rights now show up. In a similar way we assign the RS specific role ng.role.remote_user.
All access grants related to user.europe now show up in the list of Attribute Based Grants.
Info: If you use RS UI V2, you may check a user's RS-specific rights via the "users" icon in the top left corner.
Please ensure, that users have rights both in RS V1 and V2.
Example: Administrator Grants role of Site Owner Plus Access Rights¶
The RS role of Site Owner has certain privileges and is important especially for business relationships, where Service Networks and Device Networks may belong to different legal entities.
Assignment of this role follows the same approach as outlined above: in RS UI V1 the menu "Users" under tile "User Management" is used to select operation "Associate Roles" for the user Owner Munich already existing in the underlying Siemens cloud tenant.
Next we assign the organization structure, which the user may access via the button "Add Organizational Structure".
Then we assign the site Munich under the Regional Tenant (i.e. sub-organization) to the user.
Due to the exposed position a Site Owner needs access to all Devices available in his/her Site. Thus we select all Product Types and click on "Select".
Finally, we assign the role ng.role.site_owner to user Owner Munich.
The overview page displays all grants given to the newly assigned Site Owner known as Owner Munich.