Skip to content

Roles and Scopes for Applications

This section describes the concepts of application specific roles and scopes (permissions) for securing applications. Additionally, it lists all available roles that are required for calling the Insights Hub APIs. Insights Hub provides an integrated positive security concept based on OAuth (using OAuth Bearer Tokens RFC 6750) that eliminates the need for implementing your own user and access management.

Concept Overview

Every application and API on Insights Hub is secured at the endpoint level. Users need the respective permissions to access these endpoints. Access is granted by assigning roles via the Settings application. Without this access, the application will not appear on the user's Launchpad after logging into Insights Hub or they cannot access the API.

The same security concept applies to custom applications on Insights Hub. Each application must provide at least one application specific role and one application specific scope to prevent unauthorized (but logged-in) users from accessing it.

Insights Hub manages access to applications and APIs through three main entities:

  • Scopes: A scope is the smallest entity that describes a single permission.
  • Roles: A role is a collection of multiple scopes. It can be assigned to a user or included in another role.
  • Tokens: A token contains all scopes for a specific authenticated user. It can be used by applications to verify if a user is allowed to access an endpoint.

Scopes

Scopes describe permissions, which are listed in the access token as named parameters. When accessing an endpoint or application within Insights Hub, the Insights Hub Identity and Access Management automatically add the required scopes to the access token if the respective user has access permission.

Scopes must adhere to the following naming convention: {application_name}.{scope}.

Roles

A role is a collection of scopes. It can either be assigned to a user via the Settings application or added to an application role to grant access to Insights Hub APIs. For example, add the core role mdsp:core:iot.timUser to your application role so the application can read time series data. This assignment makes all the scopes of the core role available in your application role.

Securing your own Application

Insights Hub provides the security concept using roles, scopes and tokens for every application. The most important aspects when developing custom applications are listed below:

  • Every application can have 1-5 application roles.
  • Insights Hub automatically generates two application roles for custom applications:
    • admin
    • user
  • Developers can replace or remove default roles and add custom application roles (within the aforementioned limits).
  • Application roles and scopes are not version specific and can only be managed at the application level.
  • When handing an application over to an operator tenant, the currently available application roles and scopes are applied.

Access Control

Insights Hub does not restrict access to custom applications. It only provides an access token with application specific scopes available for the current user. If you define application specific scopes to protect a functionality or endpoint, you must also implement a verification to check if the scope is present in the provided token. Refer to the Authentication and Authorization section.

Creating a Custom Application Role

  1. Open the "Developer Cockpit" from the Launchpad and select the "Authorization Management" tab.
  2. Switch to the "App Roles" sub-tab.
  3. Select the desired application.
  4. Select the "Roles" tab.
  5. Enter at least a role name and description.

Hint

The following restrictions will apply for scopes and roles:
- A maximum of 30 lowercase letters are allowed in the "Role" names.
- A maximum of 255 characters are allowed in "Descriptions".

Custom application roles are created using the following scheme:

mdsp:{tenant_name}:{application_name}.{role_name}
mdsp:my_tenant:my_app.tester

6.Click "Save".

If the application is in the "Registered" state, the changes or removal of application roles are reflected only in the Settings application.

Assigning an application role

The application roles will appear only in the Settings application upon registering the application in the Developer Cockpit. If a role is assigned to a user, the application will be available on their Launchpad when they log in next time.

Accessing Insights Hub APIs

If your application requires access to the Insights Hub API, the respective core role must be added to one of your application roles. The required scopes for calling a specific endpoint are documented in the respective API specification. A list of all Insights Hub core roles and the scopes they provide is given below.

Example

The following example shows how to enable reading access to assets and time series data for an application time_series_viewer on a tenant with the name my_tenant.

  1. Open the "DevOps Cockpit" from the Launchpad and click "Application List" in the Quick Links section.
  2. Select the application and choose the version of your choice.
  3. Click "See Details" and select the "Access" tab. By default, the application scope with the "Admin" role (mdsp:my_tenant:time_series_viewer.admin) is automatically added to the application and this role is displayed as admin.
  4. Define an application scope time_series_viewer.all that grants access to every endpoint (/**).
  5. Assign this scope to the admin role.
  6. Click "Add API Role" in the "API Roles" and add the mdsp:core:assetmanagement:reporter role for accessing the Asset Management API. This is the Reporter role for Asset Management, which grants read access to assets.
  7. Click "Add API Role" in the "API Roles" and add the mdsp:core:iot.timUser role for accessing the Time Series API. This is the User role for the Time Series Services, which grants read access to Time Series data.
  8. Click "Configure".

Available Roles of APIs

This section lists all the core roles of Insights Hub APIs and the scopes they provide. Custom applications can use Insights Hub APIs only if the respective scopes are provided. This can be achieved either implicitly via technical users or by adding the core roles to the application roles.

Agent Management

Definition of roles and permissions for Agent Management. The specific permissions for each role are explained below.

mdsp:core:agm.fullaccess

This role grants all read and write access to the Agent Management APIs.

Scope Description
agm.c Create agent resources.
agm.d Delete agent resources.
agm.r Read agent resources.
agm.u Update agent resources.
dsc.r Read the data source configuration of an agent.
dsc.u Update the source configuration of an agent.
obc.r Read the onboarding status.
obc.sec Access to offboarding and onboarding material.

mdsp:core:agm.readonly

This role grants read-only access to the Agent Management APIs.

Scope Description
agm.r Read agent resources.
dsc.r Read the data source configuration of an agent.
obc.r Read the onboarding status.

Agent Access Token

The "Scopes" of the role mdsp:core:DefaultAgent are described below:

Scope Description API Used
exc.w Exchange data. MindConnect
map.c Create a mapping. MindConnect
map.r Read a mapping. MindConnect
map.d Delete a mapping. MindConnect
evt.map.c Create an event mapping. MindConnect
evt.map.r Read an event mapping. MindConnect
evt.map.u Update an event mapping. MindConnect
evt.map.d Delete an event mapping. MindConnect
da.c Create diagnostic activation. MindConnect
da.r Read diagnostic activation. MindConnect
da.u Update diagnostic activation. MindConnect
da.d Delete diagnostic activation. MindConnect
da.m.r Read diagnostic messages of activation. MindConnect
dsc.r Read the data source configuration of an agent. Agent Management
dsc.u Update the data source configuration of an agent. Agent Management
iot.tim.w Write timeseries data. IOT Time Series
iot.fil.w Write file. IOT File
iot.fil.l List files. IOT File
em.c Create events. Event Management
em.et.r Read event types. Event Management
asm.r Read assets. Asset Management
atm.r Read asset types. Asset Management
atm.apt.r Read aspect types. Asset Management
dl.ds.w Write data to the data lake. Integrated Data Lake

Asset Management

Definition of roles and permissions for Asset Management. The specific permissions for each role are explained below.

mdsp:core:assetmanagement.admin

The "Admin" role allows users to create, read, update or delete assets, asset types, aspect types and images in the Asset Management Service.

Scope Description
asm.c Create assets.
asm.d Delete assets.
asm.f.d Delete files.
asm.f.r Read files.
asm.f.w Create or update files.
asm.fa.d Delete files assignments.
asm.fa.w Assign files to assets.
asm.h.d Delete hierarchy type assets.
asm.h.w Create or update hierarchy type assets.
asm.ia.d Delete image assignments.
asm.loc.d Delete locations.
asm.loc.w Create or update locations.
asm.m Move assets.
asm.r Read assets.
asm.rep.r Read reports.
asm.rh.d Delete root assets.
asm.rh.w Create or update root assets.
asm.u Update assets.
atm.apt.d Delete aspect types.
atm.apt.r Read aspect types.
atm.apt.w Create or update aspect types.
atm.fa.d Delete file assignments.
atm.fa.w Assign files to asset types.
atm.d Delete asset types.
atm.r Read asset types.
atm.w Create or update asset types.

mdsp:core:assetmanagement.standarduser

The "Standard" user role allows users to read or update assets and images, as well as read asset types and aspect types in the Asset Management Service.

Scope Description
asm.f.d Delete files.
asm.f.r Read files.
asm.f.w Create or update files.
asm.fa.d Delete file assignments.
asm.fa.w Assign files to assets.
asm.h.d Delete hierarchy type assets.
asm.h.w Create or update hierarchy-type assets.
asm.loc.d Delete locations.
asm.loc.w Create or update locations.
asm.m Move assets.
asm.r Read assets.
asm.u Update assets.
atm.apt.r Read aspect types.
atm.r Read asset types.

mdsp:core:assetmanagement.subtenantuser

The "SubTenant" user role allows users to read asset and aspect types, read or update assets, and also read, update or delete images in the Asset Management Service.

Scope Description
asm.f.d Delete files.
asm.f.r Read files.
asm.f.w Create or update files.
asm.fa.d Delete file assignments.
asm.fa.w Assign files to assets.
asm.h.d Delete hierarchy-type assets.
asm.h.w Create or update hierarchy-type assets.
asm.loc.d Delete locations.
asm.loc.w Create or update locations.
asm.m Move assets.
asm.r Read assets.
asm.rh.d Delete root assets.
asm.rh.w Create or update root assets.
atm.apt.r Read aspect types.
atm.r Read asset types.

mdsp:core:assetmanagement.reporter

The "Reporter" role allows users to read assets, asset types, aspect types and files in the Asset Management Service.

Scope Description
asm.f.r Read files.
asm.r Read assets.
atm.apt.r Read aspect types.
atm.r Read asset types.

Data Exchange Service

Definition of roles and permissions for the Data Exchange Service.

mdsp:core:dataexch.user

The "Role" allows tenants to upload, download and delete data.

Scope Description
pl.de.r List folder contents and download data.
pl.de.w Upload and delete data. It implies the pl.de.r.

Deployment Workflow Service

Definition of roles and permissions for Device Configuration. The specific permissions for each role are explained below.

mdsp:core:dwf.fullaccess

This role grants all read and write access to the Deployment Workflow Service.

Scope Description
dinv.r Read devices.
dwf.cmd.c Create new commands.
dwf.wfinst.c Create new workflow instances.
dwf.wfinst.r Read workflow instances.
dwf.wfinst.u Update workflow instances.
dwf.wfmodels.c Create new workflow models.
dwf.wfmodels.d Delete workflow models.
dwf.wfmodels.r Read workflow models.

mdsp:core:dwf.readonly

This role grants read-only access to the Deployment Workflow Service.

Scope Description
dinv.r Read devices.
dwf.wfinst.r Read workflow instances.
dwf.wfmodels.r Read workflow models.

Device Configuration

Definition of roles and permissions for Device Configuration.

mdsp:core:deviceconfiguration.fullaccess

This role grants all read and write access to the Device Configuration APIs.

Scope Description
dcfiles.c Create device configuration files.
dcfiles.d Delete device configuration files and revisions.
dcfiles.r Read device configuration files and revisions.
dcfiles.u Update device configuration files and revisions.
dvccfg.c Create new device configuration jobs.
dvccfg.d Delete device configuration jobs and configuration status.
dvccfg.r Read device configuration jobs and configuration status.
dvccfg.u Update device configuration jobs and configuration status.

mdsp:core:deviceconfiguration.readonly

This role grants read-only access to the Device Configuration APIs.

Scope Description
dcfiles.r Read device configuration files and revisions.
dvccfg.r Read device configuration jobs and configuration status.

Device Management

Definition of roles and permissions for Device Management.

mdsp:core:devicemanagement.devicetypeadmin

This role grants all read and write access to the Device Management APIs for Device Types.

Scope Description
dvctyp.c Create device types.
dvctyp.d Delete device types.
dvctyp.r Read device types.
dvctyp.u Update device types.

mdsp:core:devicemanagement.deviceadmin

This role grants all read and write access to the Device Management APIs for Device Instances.

Scope Description
dinv.c Create new devices.
dinv.d Delete devices.
dinv.r Read devices.
dinv.u Update devices.
sinv.c Create entries in the software inventory.
sinv.d Delete entries in the software inventory.
sinv.r Read entries in the software inventory.
sinv.u Update entries in the software inventory.

mdsp:core:devicemanagement.devicetypereadonly

This role grants read-only access to the Device Management APIs for Device Types.

Scope Description
dvctyp.r Read device types.

mdsp:core:devicemanagement.devicereadonly

This role grants read-only access to the Device Management APIs for Device Instances.

Scope Description
dinv.r Read devices.
sinv.r Read entries in the software inventory.

Device Status

Definition of roles and permissions for Device Status.

mdsp:core:devicestatus.fullaccess

This role grants all read and write access to the Device Status APIs.

Scope Description
dhlt.c Create device status information.
dhlt.d Delete device status information.
dhlt.r Read device status information.
dhlt.u Update device status information.
sinv.c Create entries in the software inventory.
sinv.d Delete entries in the software inventory.
sinv.r Read entries in the software inventory.
sinv.u Update entries in the software inventory.

mdsp:core:devicestatus.readonly

This role grants read-only access to the Device Status APIs.

Scope Description
dhlt.r Read device status information.
sinv.r Read entries in the software inventory.

Edge App Deployment Service

Definition of roles and permissions for MindConnect Open Edge App Deployment.

mdsp:core:eadplymng.fullaccess

This role grants all read and write access to Edge App Deployment.

Scope Description
apptrmsandcnd.c Create new terms and conditions documents.
apptrmsandcnd.d Delete the terms and conditions documents.
apptrmsandcnd.r Read the terms and conditions documents.
apptrmsandcnd.u Update the terms and conditions documents.
docmng.r Read document bundles and documents.
edgeappdplymnt.c Create new Edge app deployment jobs.
edgeappdplymnt.d Delete Edge app deployment jobs.
edgeappdplymnt.r Read Edge app deployment jobs.
edgeappdplymnt.u Update Edge app deployment jobs.
edgerlsmng.r Read Edge application products and releases.
jbcntl.c Create new Edge deployment jobs for devices.
jbcntl.d Delete Edge deployment jobs for devices.
jbcntl.r Read Edge deployment jobs for devices.
jbcntl.u Update Edge deployment jobs for devices.

mdsp:core:eadplymng.readonly

This role grants read-only access to Edge App Deployment.

Scope Description
apptrmsandcnd.r Read the terms and conditions documents for Edge app deployment.
edgeappdplymnt.r Read Edge app deployment jobs.
jbcntl.r Read Edge deployment jobs for devices.

Edge App Instance Management Service

Definition of roles and permissions for the MindConnect Open Edge App Instance Management.

mdsp:core:eacfgmng.fullaccess

This role grants all read and write access to Edge app configuration management.

Scope Description
edgeconfmng.c Create configurations of Edge app instances.
edgeconfmng.d Delete the configurations of Edge app instances.
edgeconfmng.r Read the configurations of Edge app instances.
edgeconfmng.u Update the configurations of Edge app instances.

mdsp:core:eacfgmng.readonly

This role grants read-only access to Edge app configuration management.

Scope Description
docmng.r Read document bundles and documents.
edgeconfmng.r Read the configurations of Edge app instances.

mdsp:core:ealmng.fullaccess

This role grants all read and write access to Edge app lifecycle management.

Scope Description
edgelifecyclemng.c Create Edge app instances.
edgelifecyclemng.d Delete Edge app instances.
edgelifecyclemng.r Read Edge app instances.
edgelifecyclemng.u Update Edge app instances.

mdsp:core:ealmng.readonly

This role grants all read and write access for Edge app lifecycle management.

Scope Description
docmng.r Read document bundles and documents.
edgerlsmng.r Read application products and releases.

Event Management

Definition of roles and permissions for Event Management.

mdsp:core:em.eventcreator

This role grants access to create, read and update events in the Event Management system.

Scope Description
em.c Create events.
em.et.r Read event types.
em.r Read events.
em.u Update events.
emds.ent.r Read entities via the Entity Master Data Service.

mdsp:core:em.eventmanager

This role grants access to manage everything in the Event Management system.

Scope Description
em.c Create events.
em.d Delete events.
em.et.c Create event types.
em.et.d Delete event types.
em.et.r Read event types.
em.et.u Update event types.
em.r Read events.
em.u Update events.
emds.ent.r Read entities via the Entity Master Data Service.

mdsp:core:em.eventviewer

This role grants access to read events and event types in the Event Management system.

Scope Description
em.r Read events.
em.et.r Read event types.

Firmware Deployment

Definition of roles and permissions for Firmware Deployment.

mdsp:core:frmdpylmnt.fullaccess

This role grants all read and write access to Firmware Deployment.

Scope Description
dinv.r Read devices.
docmng.r Read document bundles and documents.
dwf.wfinst.c Create new workflow instances.
dwf.wfinst.r Read workflow instances.
dwf.wfinst.u Update workflow instances.
fwdplymnt.c Create new deployment jobs.
fwdplymnt.d Delete deployment jobs.
fwdplymnt.r Read deployment jobs.
fwdplymnt.u Update deployment jobs.
fwmng.r Read firmware for devices.
jbcntl.c Create new deployment jobs for devices.
jbcntl.d Delete deployment jobs for devices.
jbcntl.r Read deployment jobs for devices.
jbcntl.u Update deployment jobs for devices.
trmsandcnd.c Create terms and conditions documents.
trmsandcnd.d Delete the terms and conditions documents.
trmsandcnd.r Read the terms and conditions documents.
trmsandcnd.u Update the terms and conditions documents.

scopes from mdsp:core:dvcinv.readonly

mdsp:core:frmdpylmnt.readonly

This role grants read-only access to Firmware Deployment.

Scope Description
dinv.r Read devices.
dwf.wfinst.r Read workflow instances.
fwdplymnt.r Read deployment jobs for firmware deployment.
fwmng.r Read firmware for devices.
jbcntl.r Read deployment jobs for devices.
trmsandcnd.r Read the terms and conditions documents for firmware deployment.

Identity Management

The Identity Management service serves to manage all authorization-related functionality.

mdsp:core:im.meIamViewer

This role grants access to the current user's information, including assigned roles in the tenant's user IAM system.

Scope Description
im.usr.me Read your own user details.

mdsp:core:im.userIamAdmin

This role grants administrative access (read and write) to a tenant's user IAM system.

Scope Description
im.dg.c Create data groups.
im.dg.d Delete data groups.
im.g.c Create groups.
im.g.d Delete groups.
im.g.r Read groups.
im.g.u Update groups.
im.ug.c Create user groups (here: sub-tenants).
im.ug.d Delete user groups (here: sub-tenants).
im.ug.r Read user groups (here: sub-tenants).
im.usr.c Create users.
im.usr.d Delete users.
im.usr.me Read your own user details.
im.usr.r Read users.
im.usr.u Update users.

mdsp:core:im.userIamViewer

This role grants read-only access to a tenant's user IAM system.

Scope Description
im.g.r Read groups.
im.ug.r Read user groups (here: sub-tenants).

Integrated Data Lake

Definition of roles and permissions for the Integrated Data Lake.

mdsp:core:dl.dsUser

This role grants read, write and delete access to the Integrated Data Lake API, comprising data object, event and time series import operations.

Scope Description
dl.ds.r Read data staging.
dl.ds.w Write data staging.
dl.ds.d Delete data staging.
dl.da.r Read data access.
dl.dat.r Read data access token.
dl.de.r Read event subscription.
dl.de.w Create an event subscription.
dl.de.d Delete the event subscription.
dl.tsi.w Create a time series import.
dl.tsi.d Delete time series import jobs.
dl.tsi.r Read time series imports.

mdsp:core:dl.dsAdmin

This role grants full administrative access to the Integrated Data Lake API, including cross-account operations.

Scope Description
dl.ds.r Read data staging.
dl.ds.w Write data staging.
dl.ds.d Delete data staging.
dl.da.r Read data access.
dl.da.d Delete data access.
dl.dat.r Read data access token.
dl.de.r Read event subscription.
dl.de.w Create an event subscription.
dl.de.d Delete the event subscription.
dl.tsi.w Create a time series import.
dl.da.w Create a cross account.
dl.tsi.d Delete time series import jobs.
dl.tsi.r Read time series imports.
dl.dat.w Enable data access token permission.
dl.dat.d Delete data access token permission.

mdsp:core:idlmanager.readuser

This role grants read-only access to the Integrated Data Lake API.

Scope Description
dl.ds.r Read data staging.
dl.da.r Read data access.
dl.dat.r Read data access token.
dl.de.r Read event subscription.
dl.tsi.r Read time series imports.

IoT File Service

Definition of roles and permissions for the IoT File Service.

mdsp:core:iot.filAdmin

This role grants read, write and delete access to files.

Scope Description
iot.fil.d Delete file.
iot.fil.r Read file.
iot.fil.w Write file.

mdsp:core:iot.filUser

This role grants read-only access to files.

Scope Description
iot.fil.r Read file.

IoT Time Series

Definition of roles and permissions for the IoT Time Series Services.

mdsp:core:iot.timAdmin

This role grants read, write and delete access to time series.

Scope Description
iot.tim.d Delete time series.
iot.tim.r Read time series.
iot.tim.w Write a time series.

mdsp:core:iot.timUser

This role grants read-only access to time series.

Scope Description
iot.tim.r Read time series.
iot.bts.r Read bulk time series.

IoT Time Series Bulk Service

Definition of roles and permissions for the IoT Time Series Bulk Services.

mdsp:core:iot.bulkTimUser

This role grants access to read bulk time series data and fetch the job status of bulk ingest jobs.

Scope Description
iot.bts.r Read bulk time series.

mdsp:core:iot.bulkTimAdmin

This role grants access to submitting bulk ingest jobs, reading bulk time series data and fetching the job status of bulk ingest jobs.

Scope Description
iot.bi.r Read bulk time series job status.
iot.bi.w Write a bulk time series for job processing.
iot.bts.r Read bulk time series.
iot.sds.marker Verify tenant admin during SDS validation.

IoT Time Series Aggregates

Definition of roles and permissions for IoT Time Series Aggregates API roles.

mdsp:core:iot.tsaUser

This role grants access to time series aggregates.

Scope Description
iot.tsa.r Read time series aggregations.

Job Manager Service

Definition of roles and permissions for Job Manager Service.

mdsp:core:jobmgr.user

Scope Description
prl.jm.e Execute, start, stop or schedule jobs in the Job Manager API.
prl.jm.h Query the history of executions in the Job Manager API.

MindConnect API

Definition of roles and permissions for the MindConnect API.

mdsp:core:mindconnect.fullaccess

This role grants read and write access to the MindConnect APIs.

Scope Description
da.c Create diagnostic activation.
da.d Delete diagnostic activation.
da.r Read diagnostic activation information.
di.r Read the diagnostic data.
da.m.r Read one or all diagnostic messages of a specific activation resource.
map.c Create mapping.
map.d Delete a mapping.
map.r Read a mapping.
rec.c Replay the recoverable record.
rec.r Read the recoverable record.
rec.d Delete the recoverable record.
evt.map.c Create event mapping.
evt.map.r Read the event mapping.
evt.map.u Update the event mapping.
evt.map.d Delete the event mapping.

mdsp:core:mindconnect.readonly

This role grants read-only access to the Agent Management APIs.

Scope Description
da.r Read diagnostic activation information.
di.r Read the diagnostic data.
da.m.r Read one or all diagnostic messages of a specific activation resource.
map.r Read a mapping.
rec.r Read the recoverable record.
evt.map.r Read the event mapping.

Native MQTT API (Deprecated)

Caution

The native MQTT API is deprecated. It is recommended to use the MindConnect MQTT API instead.

Definition of roles and permissions for the Native MQTT API.

mdsp:core:nativemqtt.fullaccess

This role grants read and write access to the Native MQTT API.

Scope Description
nmq.c.c Upload a CA certificate.
nmq.c.r Read the CA certificate and registration code.
nmq.c.d Delete a CA certificate.
nmq.t.r Read configuration.

mdsp:core:nativemqtt.readonly

This role grants read-only access to the Native MQTT API.

Scope Description
nmq.c.r Read the CA certificate and registration code.

MindConnect MQTT API

Definition of roles and permissions for the MindConnect MQTT API.

mdsp:core:mindconnectmqtt.fullaccess

This role grants read and write access to the MindConnect MQTT API.

Scope Description
mcmq.c.c Upload a CA certificate.
mcmq.c.r Read the CA certificate and registration code.
mcmq.c.d Delete a CA certificate.
mcmq.t.r Read configuration.

mdsp:core:mindconnectmqtt.readonly

This role grants read-only access to the MindConnect MQTT API.

Scope Description
mcmq.c.r Read the CA certificate and registration code.

Commanding API

Definition of roles and permissions for the Commanding API.

mdsp:core:msg.fullaccess

This role grants read and write access to the Commanding APIs.

Scope Description
agm.r Read agent resources.
asm.r Read assets.
msg.c Create message job resources.
msg.r Read job message resources.
msg.u Update job message resources.
msg.d Delete job message resources.
msg.pub Publish messages to mqtt clients.

mdsp:core:msg.readonly

This role grants read-only access to the Commanding APIs.

Scope Description
msg.r Read job message resources.

mdsp:core:msg.defaultagent

The internal role grants read and acknowledge access to the Commanding APIs for the default agent.

Scope Description
msa.ack Acknowledge agent message resources.
msa.r Read agent message resources.

Model Management Service

This role grants users access to the Model Management APIs.

mdsp:core:amm.user

Scope Description
plr.amm.c Create a model.
plr.amm.r Read a model.
plr.amm.u Update a model.
plr.amm.d Delete a model.

Notification Service

Definition of roles and permissions for the Notification Service.

Note

Roles and scopes for the Notification Service are implicitly available to operator and developer tenants. Refer to the Notification Service.

mdsp:core:nose.mobileappuser

This role grants access to perform operations on mobile application instances.

Scope Description
nose.ai.r Read access on mobile application instance entities.
nose.ai.w Write access on mobile application instance entities.

Rules

Definition of roles and permissions for the Rules Service.

mdsp:core:oi.creator

Scope Description
rules.r Read rules.
rules.c Create rules.
rules.u Update rules.
rules.d Delete rules.

mdsp:core:oi.viewer

Scope Description
rules.r Read rules.

Data Contextualization

Definition of roles and permissions for the Data Contextualization Service.

mdsp:core:sdi.admin

This role grants all (read and write) access and administrative access to Data Contextualization APIs.

Scope Description
sdi.reg.r Read data registry information.
sdi.reg.w Create or update data registry information.
sdi.reg.d Delete data registry information.
sdi.dip.w Start the data ingest process.
sdi.dip.r Read the job status for the data ingest process.
sdi.dqp.r Read the data query result.
sdi.dqp.w Create a data query.
sdi.dqp.x Execute a data query.
sdi.dqp.d Delete a data query.
sdi.dqp.e Create or get query execution jobs.
sdi.smd.w Create a semantic data model.
sdi.smd.r Read a semantic data model.
sdi.smd.d Delete a semantic data model.

mdsp:core:sdi.enduser

This role grants end-user query access to SDI APIs.

Scope Description
sdi.dqp.r Read data query result.
sdi.dqp.x Execute a data query.
sdi.dqp.e Create or get query execution jobs.

mdsp:core:sdi.semanticuser

This role grants access to semantic models and semantic core SDI APIs.

Scope Description
sdi.smd.w Create a semantic data model
sdi.smd.r Read a semantic data model
sdi.smd.d Delete a semantic data model
sdi.dqp.e Create or get query execution jobs

Spectrum Analysis Service

Definition of roles and permissions for the Spectrum Analysis service.

mdsp:core:spectrumanalysis.fft.user

This is the base role for using the Spectrum Analysis service.

Scope Description
as.sa.fft Use the Spectrum Analysis API.

Tenant Management Service

Definition of roles and permissions for the Tenant Management Service.

mdsp:core:tm.tenantAdmin

This role grants full administrative access to the respective tenant.

Scope Description
tm.li.c Create legal information.
tm.li.d Delete legal information.
tm.li.r Read legal information.
tm.li.u Update legal information.
tm.st.c Create subtenants.
tm.st.d Delete subtenants.
tm.st.r Read subtenants.
tm.st.u Update subtenant.

mdsp:core:tm.tenantUser

This role grants permissions for standard tenant users.

Usage Transparency Service

Definition of roles and permissions for the Usage Transparency Service.

mdsp:core:uts.analyst

This role allows tenants to see usage data.

Scope Description
uts.qi Access to quota information.
uts.rc Access to the report console.
uts.ri Access to request usage information.
uts.su Access to send usage information.

Resource Access Management Service

Definition of roles and permissions for the Resource Access Management Service.

mdsp:core:ram.papAdmin

This role grants admin access to the Resource Access Management (RAM) Policy Administration API for managing policies, roles and policy assignments.

Scope Description
ram.p.c Create policies.
ram.p.r View policies.
ram.p.u Update policies.
ram.p.d Delete policies.

mdsp:core:ram.papViewer

This role grants read-only access to the Resource Access Management (RAM) Policy Administration API.

Scope Description
ram.p.r View policies.

Case Management Service

Definition of roles and permissions for the Case Management Service.

mdsp:core:oi.wom.creator

This role allows for the creation of cases.

This is by default part of mdsp:core:TenantAdmin, mdsp:core:StandardUser, mdsp:core:oi.creator and mdsp:core:Admin3rdPartyTechUser.

Scope Description
oi.wom.c Create Case Management resources.
oi.wom.r Read Case Management resources.
oi.wom.u Update Case Management resources.
oi.wom.d Delete Case Management resources.

mdsp:core:oi.wom.viewer

This role allows viewing of cases.

Scope Description
oi.wom.r Read Case Management resources.
oi.wom.u Update Case Management resources assigned to the user.
oi.wom.d Delete Case Management resources.

Last update: October 10, 2024

Except where otherwise noted, content on this site is licensed under the Development License Agreement.