Roles and Scopes for Applications¶
This section describes the concepts of application specific roles and scopes (permissions) for securing applications. Additionally, it lists all available roles that are required for calling the Insights Hub APIs. Insights Hub provides an integrated positive security concept based on OAuth (using OAuth Bearer Tokens RFC 6750) that eliminates the need for implementing your own user and access management.
Concept Overview¶
Every application and API on Insights Hub is secured at the endpoint level. Users need the respective permissions to access these endpoints. Access is granted by assigning roles via the Settings application. Without this access, the application will not appear on the user's Launchpad after logging into Insights Hub or they cannot access the API.
The same security concept applies to custom applications on Insights Hub. Each application must provide at least one application specific role and one application specific scope to prevent unauthorized (but logged-in) users from accessing it.
Insights Hub manages access to applications and APIs through three main entities:
- Scopes: A scope is the smallest entity that describes a single permission.
- Roles: A role is a collection of multiple scopes. It can be assigned to a user or included in another role.
- Tokens: A token contains all scopes for a specific authenticated user. It can be used by applications to verify if a user is allowed to access an endpoint.
Scopes¶
Scopes describe permissions, which are listed in the access token as named parameters. When accessing an endpoint or application within Insights Hub, the Insights Hub Identity and Access Management automatically add the required scopes to the access token if the respective user has access permission.
Scopes must adhere to the following naming convention: {application_name}.{scope}
.
Roles¶
A role is a collection of scopes. It can either be assigned to a user via the Settings application or added to an application role to grant access to Insights Hub APIs. For example, add the core role mdsp:core:iot.timUser
to your application role so the application can read time series data. This assignment makes all the scopes of the core role available in your application role.
Securing your own Application¶
Insights Hub provides the security concept using roles, scopes and tokens for every application. The most important aspects when developing custom applications are listed below:
- Every application can have 1-5 application roles.
- Insights Hub automatically generates two application roles for custom applications:
admin
user
- Developers can replace or remove default roles and add custom application roles (within the aforementioned limits).
- Application roles and scopes are not version specific and can only be managed at the application level.
- When handing an application over to an operator tenant, the currently available application roles and scopes are applied.
Access Control
Insights Hub does not restrict access to custom applications. It only provides an access token with application specific scopes available for the current user. If you define application specific scopes to protect a functionality or endpoint, you must also implement a verification to check if the scope is present in the provided token. Refer to the Authentication and Authorization section.
Creating a Custom Application Role¶
- Open the "Developer Cockpit" from the Launchpad and select the "Authorization Management" tab.
- Switch to the "App Roles" sub-tab.
- Select the desired application.
- Select the "Roles" tab.
- Enter at least a role name and description.
Hint
The following restrictions will apply for scopes and roles:
- A maximum of 30 lowercase letters are allowed in the "Role" names.
- A maximum of 255 characters are allowed in "Descriptions".
Custom application roles are created using the following scheme:
mdsp:{tenant_name}:{application_name}.{role_name}
mdsp:my_tenant:my_app.tester
6.Click "Save".
If the application is in the "Registered" state, the changes or removal of application roles are reflected only in the Settings application.
Assigning an application role
The application roles will appear only in the Settings application upon registering the application in the Developer Cockpit. If a role is assigned to a user, the application will be available on their Launchpad when they log in next time.
Accessing Insights Hub APIs¶
If your application requires access to the Insights Hub API, the respective core role must be added to one of your application roles. The required scopes for calling a specific endpoint are documented in the respective API specification. A list of all Insights Hub core roles and the scopes they provide is given below.
Example¶
The following example shows how to enable reading access to assets and time series data for an application time_series_viewer
on a tenant with the name my_tenant
.
- Open the "DevOps Cockpit" from the Launchpad and click "Application List" in the Quick Links section.
- Select the application and choose the version of your choice.
- Click "See Details" and select the "Access" tab. By default, the application scope with the "Admin" role (
mdsp:my_tenant:time_series_viewer.admin
) is automatically added to the application and this role is displayed as admin. - Define an application scope
time_series_viewer.all
that grants access to every endpoint (/**
). - Assign this scope to the admin role.
- Click "Add API Role" in the "API Roles" and add the
mdsp:core:assetmanagement:reporter
role for accessing the Asset Management API. This is the Reporter role for Asset Management, which grants read access to assets. - Click "Add API Role" in the "API Roles" and add the
mdsp:core:iot.timUser
role for accessing the Time Series API. This is the User role for the Time Series Services, which grants read access to Time Series data. - Click "Configure".
Available Roles of APIs¶
This section lists all the core roles of Insights Hub APIs and the scopes they provide. Custom applications can use Insights Hub APIs only if the respective scopes are provided. This can be achieved either implicitly via technical users or by adding the core roles to the application roles.
Agent Management¶
Definition of roles and permissions for Agent Management. The specific permissions for each role are explained below.
mdsp:core:agm.fullaccess
¶
This role grants all read and write access to the Agent Management APIs.
Scope | Description |
---|---|
agm.c | Create agent resources. |
agm.d | Delete agent resources. |
agm.r | Read agent resources. |
agm.u | Update agent resources. |
dsc.r | Read the data source configuration of an agent. |
dsc.u | Update the source configuration of an agent. |
obc.r | Read the onboarding status. |
obc.sec | Access to offboarding and onboarding material. |
mdsp:core:agm.readonly
¶
This role grants read-only access to the Agent Management APIs.
Scope | Description |
---|---|
agm.r | Read agent resources. |
dsc.r | Read the data source configuration of an agent. |
obc.r | Read the onboarding status. |
Agent Access Token¶
The "Scopes" of the role mdsp:core:DefaultAgent
are described below:
Scope | Description | API Used |
---|---|---|
exc.w | Exchange data. | MindConnect |
map.c | Create a mapping. | MindConnect |
map.r | Read a mapping. | MindConnect |
map.d | Delete a mapping. | MindConnect |
evt.map.c | Create an event mapping. | MindConnect |
evt.map.r | Read an event mapping. | MindConnect |
evt.map.u | Update an event mapping. | MindConnect |
evt.map.d | Delete an event mapping. | MindConnect |
da.c | Create diagnostic activation. | MindConnect |
da.r | Read diagnostic activation. | MindConnect |
da.u | Update diagnostic activation. | MindConnect |
da.d | Delete diagnostic activation. | MindConnect |
da.m.r | Read diagnostic messages of activation. | MindConnect |
dsc.r | Read the data source configuration of an agent. | Agent Management |
dsc.u | Update the data source configuration of an agent. | Agent Management |
iot.tim.w | Write timeseries data. | IOT Time Series |
iot.fil.w | Write file. | IOT File |
iot.fil.l | List files. | IOT File |
em.c | Create events. | Event Management |
em.et.r | Read event types. | Event Management |
asm.r | Read assets. | Asset Management |
atm.r | Read asset types. | Asset Management |
atm.apt.r | Read aspect types. | Asset Management |
dl.ds.w | Write data to the data lake. | Integrated Data Lake |
Asset Management¶
Definition of roles and permissions for Asset Management. The specific permissions for each role are explained below.
mdsp:core:assetmanagement.admin
¶
The "Admin" role allows users to create, read, update or delete assets, asset types, aspect types and images in the Asset Management Service.
Scope | Description |
---|---|
asm.c | Create assets. |
asm.d | Delete assets. |
asm.f.d | Delete files. |
asm.f.r | Read files. |
asm.f.w | Create or update files. |
asm.fa.d | Delete files assignments. |
asm.fa.w | Assign files to assets. |
asm.h.d | Delete hierarchy type assets. |
asm.h.w | Create or update hierarchy type assets. |
asm.ia.d | Delete image assignments. |
asm.loc.d | Delete locations. |
asm.loc.w | Create or update locations. |
asm.m | Move assets. |
asm.r | Read assets. |
asm.rep.r | Read reports. |
asm.rh.d | Delete root assets. |
asm.rh.w | Create or update root assets. |
asm.u | Update assets. |
atm.apt.d | Delete aspect types. |
atm.apt.r | Read aspect types. |
atm.apt.w | Create or update aspect types. |
atm.fa.d | Delete file assignments. |
atm.fa.w | Assign files to asset types. |
atm.d | Delete asset types. |
atm.r | Read asset types. |
atm.w | Create or update asset types. |
mdsp:core:assetmanagement.standarduser
¶
The "Standard" user role allows users to read or update assets and images, as well as read asset types and aspect types in the Asset Management Service.
Scope | Description |
---|---|
asm.f.d | Delete files. |
asm.f.r | Read files. |
asm.f.w | Create or update files. |
asm.fa.d | Delete file assignments. |
asm.fa.w | Assign files to assets. |
asm.h.d | Delete hierarchy type assets. |
asm.h.w | Create or update hierarchy-type assets. |
asm.loc.d | Delete locations. |
asm.loc.w | Create or update locations. |
asm.m | Move assets. |
asm.r | Read assets. |
asm.u | Update assets. |
atm.apt.r | Read aspect types. |
atm.r | Read asset types. |
mdsp:core:assetmanagement.subtenantuser
¶
The "SubTenant" user role allows users to read asset and aspect types, read or update assets, and also read, update or delete images in the Asset Management Service.
Scope | Description |
---|---|
asm.f.d | Delete files. |
asm.f.r | Read files. |
asm.f.w | Create or update files. |
asm.fa.d | Delete file assignments. |
asm.fa.w | Assign files to assets. |
asm.h.d | Delete hierarchy-type assets. |
asm.h.w | Create or update hierarchy-type assets. |
asm.loc.d | Delete locations. |
asm.loc.w | Create or update locations. |
asm.m | Move assets. |
asm.r | Read assets. |
asm.rh.d | Delete root assets. |
asm.rh.w | Create or update root assets. |
atm.apt.r | Read aspect types. |
atm.r | Read asset types. |
mdsp:core:assetmanagement.reporter
¶
The "Reporter" role allows users to read assets, asset types, aspect types and files in the Asset Management Service.
Scope | Description |
---|---|
asm.f.r | Read files. |
asm.r | Read assets. |
atm.apt.r | Read aspect types. |
atm.r | Read asset types. |
Data Exchange Service¶
Definition of roles and permissions for the Data Exchange Service.
mdsp:core:dataexch.user
¶
The "Role" allows tenants to upload, download and delete data.
Scope | Description |
---|---|
pl.de.r | List folder contents and download data. |
pl.de.w | Upload and delete data. It implies the pl.de.r . |
Deployment Workflow Service¶
Definition of roles and permissions for Device Configuration. The specific permissions for each role are explained below.
mdsp:core:dwf.fullaccess
¶
This role grants all read and write access to the Deployment Workflow Service.
Scope | Description |
---|---|
dinv.r | Read devices. |
dwf.cmd.c | Create new commands. |
dwf.wfinst.c | Create new workflow instances. |
dwf.wfinst.r | Read workflow instances. |
dwf.wfinst.u | Update workflow instances. |
dwf.wfmodels.c | Create new workflow models. |
dwf.wfmodels.d | Delete workflow models. |
dwf.wfmodels.r | Read workflow models. |
mdsp:core:dwf.readonly
¶
This role grants read-only access to the Deployment Workflow Service.
Scope | Description |
---|---|
dinv.r | Read devices. |
dwf.wfinst.r | Read workflow instances. |
dwf.wfmodels.r | Read workflow models. |
Device Configuration¶
Definition of roles and permissions for Device Configuration.
mdsp:core:deviceconfiguration.fullaccess
¶
This role grants all read and write access to the Device Configuration APIs.
Scope | Description |
---|---|
dcfiles.c | Create device configuration files. |
dcfiles.d | Delete device configuration files and revisions. |
dcfiles.r | Read device configuration files and revisions. |
dcfiles.u | Update device configuration files and revisions. |
dvccfg.c | Create new device configuration jobs. |
dvccfg.d | Delete device configuration jobs and configuration status. |
dvccfg.r | Read device configuration jobs and configuration status. |
dvccfg.u | Update device configuration jobs and configuration status. |
mdsp:core:deviceconfiguration.readonly
¶
This role grants read-only access to the Device Configuration APIs.
Scope | Description |
---|---|
dcfiles.r | Read device configuration files and revisions. |
dvccfg.r | Read device configuration jobs and configuration status. |
Device Management¶
Definition of roles and permissions for Device Management.
mdsp:core:devicemanagement.devicetypeadmin
¶
This role grants all read and write access to the Device Management APIs for Device Types.
Scope | Description |
---|---|
dvctyp.c | Create device types. |
dvctyp.d | Delete device types. |
dvctyp.r | Read device types. |
dvctyp.u | Update device types. |
mdsp:core:devicemanagement.deviceadmin
¶
This role grants all read and write access to the Device Management APIs for Device Instances.
Scope | Description |
---|---|
dinv.c | Create new devices. |
dinv.d | Delete devices. |
dinv.r | Read devices. |
dinv.u | Update devices. |
sinv.c | Create entries in the software inventory. |
sinv.d | Delete entries in the software inventory. |
sinv.r | Read entries in the software inventory. |
sinv.u | Update entries in the software inventory. |
mdsp:core:devicemanagement.devicetypereadonly
¶
This role grants read-only access to the Device Management APIs for Device Types.
Scope | Description |
---|---|
dvctyp.r | Read device types. |
mdsp:core:devicemanagement.devicereadonly
¶
This role grants read-only access to the Device Management APIs for Device Instances.
Scope | Description |
---|---|
dinv.r | Read devices. |
sinv.r | Read entries in the software inventory. |
Device Status¶
Definition of roles and permissions for Device Status.
mdsp:core:devicestatus.fullaccess
¶
This role grants all read and write access to the Device Status APIs.
Scope | Description |
---|---|
dhlt.c | Create device status information. |
dhlt.d | Delete device status information. |
dhlt.r | Read device status information. |
dhlt.u | Update device status information. |
sinv.c | Create entries in the software inventory. |
sinv.d | Delete entries in the software inventory. |
sinv.r | Read entries in the software inventory. |
sinv.u | Update entries in the software inventory. |
mdsp:core:devicestatus.readonly
¶
This role grants read-only access to the Device Status APIs.
Scope | Description |
---|---|
dhlt.r | Read device status information. |
sinv.r | Read entries in the software inventory. |
Edge App Deployment Service¶
Definition of roles and permissions for MindConnect Open Edge App Deployment.
mdsp:core:eadplymng.fullaccess
¶
This role grants all read and write access to Edge App Deployment.
Scope | Description |
---|---|
apptrmsandcnd.c | Create new terms and conditions documents. |
apptrmsandcnd.d | Delete the terms and conditions documents. |
apptrmsandcnd.r | Read the terms and conditions documents. |
apptrmsandcnd.u | Update the terms and conditions documents. |
docmng.r | Read document bundles and documents. |
edgeappdplymnt.c | Create new Edge app deployment jobs. |
edgeappdplymnt.d | Delete Edge app deployment jobs. |
edgeappdplymnt.r | Read Edge app deployment jobs. |
edgeappdplymnt.u | Update Edge app deployment jobs. |
edgerlsmng.r | Read Edge application products and releases. |
jbcntl.c | Create new Edge deployment jobs for devices. |
jbcntl.d | Delete Edge deployment jobs for devices. |
jbcntl.r | Read Edge deployment jobs for devices. |
jbcntl.u | Update Edge deployment jobs for devices. |
mdsp:core:eadplymng.readonly
¶
This role grants read-only access to Edge App Deployment.
Scope | Description |
---|---|
apptrmsandcnd.r | Read the terms and conditions documents for Edge app deployment. |
edgeappdplymnt.r | Read Edge app deployment jobs. |
jbcntl.r | Read Edge deployment jobs for devices. |
Edge App Instance Management Service¶
Definition of roles and permissions for the MindConnect Open Edge App Instance Management.
mdsp:core:eacfgmng.fullaccess
¶
This role grants all read and write access to Edge app configuration management.
Scope | Description |
---|---|
edgeconfmng.c | Create configurations of Edge app instances. |
edgeconfmng.d | Delete the configurations of Edge app instances. |
edgeconfmng.r | Read the configurations of Edge app instances. |
edgeconfmng.u | Update the configurations of Edge app instances. |
mdsp:core:eacfgmng.readonly
¶
This role grants read-only access to Edge app configuration management.
Scope | Description |
---|---|
docmng.r | Read document bundles and documents. |
edgeconfmng.r | Read the configurations of Edge app instances. |
mdsp:core:ealmng.fullaccess
¶
This role grants all read and write access to Edge app lifecycle management.
Scope | Description |
---|---|
edgelifecyclemng.c | Create Edge app instances. |
edgelifecyclemng.d | Delete Edge app instances. |
edgelifecyclemng.r | Read Edge app instances. |
edgelifecyclemng.u | Update Edge app instances. |
mdsp:core:ealmng.readonly
¶
This role grants all read and write access for Edge app lifecycle management.
Scope | Description |
---|---|
docmng.r | Read document bundles and documents. |
edgerlsmng.r | Read application products and releases. |
Event Management¶
Definition of roles and permissions for Event Management.
mdsp:core:em.eventcreator
¶
This role grants access to create, read and update events in the Event Management system.
Scope | Description |
---|---|
em.c | Create events. |
em.et.r | Read event types. |
em.r | Read events. |
em.u | Update events. |
emds.ent.r | Read entities via the Entity Master Data Service. |
mdsp:core:em.eventmanager
¶
This role grants access to manage everything in the Event Management system.
Scope | Description |
---|---|
em.c | Create events. |
em.d | Delete events. |
em.et.c | Create event types. |
em.et.d | Delete event types. |
em.et.r | Read event types. |
em.et.u | Update event types. |
em.r | Read events. |
em.u | Update events. |
emds.ent.r | Read entities via the Entity Master Data Service. |
mdsp:core:em.eventviewer
¶
This role grants access to read events and event types in the Event Management system.
Scope | Description |
---|---|
em.r | Read events. |
em.et.r | Read event types. |
Firmware Deployment¶
Definition of roles and permissions for Firmware Deployment.
mdsp:core:frmdpylmnt.fullaccess
¶
This role grants all read and write access to Firmware Deployment.
Scope | Description |
---|---|
dinv.r | Read devices. |
docmng.r | Read document bundles and documents. |
dwf.wfinst.c | Create new workflow instances. |
dwf.wfinst.r | Read workflow instances. |
dwf.wfinst.u | Update workflow instances. |
fwdplymnt.c | Create new deployment jobs. |
fwdplymnt.d | Delete deployment jobs. |
fwdplymnt.r | Read deployment jobs. |
fwdplymnt.u | Update deployment jobs. |
fwmng.r | Read firmware for devices. |
jbcntl.c | Create new deployment jobs for devices. |
jbcntl.d | Delete deployment jobs for devices. |
jbcntl.r | Read deployment jobs for devices. |
jbcntl.u | Update deployment jobs for devices. |
trmsandcnd.c | Create terms and conditions documents. |
trmsandcnd.d | Delete the terms and conditions documents. |
trmsandcnd.r | Read the terms and conditions documents. |
trmsandcnd.u | Update the terms and conditions documents. |
scopes from mdsp:core:dvcinv.readonly
mdsp:core:frmdpylmnt.readonly
¶
This role grants read-only access to Firmware Deployment.
Scope | Description |
---|---|
dinv.r | Read devices. |
dwf.wfinst.r | Read workflow instances. |
fwdplymnt.r | Read deployment jobs for firmware deployment. |
fwmng.r | Read firmware for devices. |
jbcntl.r | Read deployment jobs for devices. |
trmsandcnd.r | Read the terms and conditions documents for firmware deployment. |
Identity Management¶
The Identity Management service serves to manage all authorization-related functionality.
mdsp:core:im.meIamViewer
¶
This role grants access to the current user's information, including assigned roles in the tenant's user IAM system.
Scope | Description |
---|---|
im.usr.me | Read your own user details. |
mdsp:core:im.userIamAdmin
¶
This role grants administrative access (read and write) to a tenant's user IAM system.
Scope | Description |
---|---|
im.dg.c | Create data groups. |
im.dg.d | Delete data groups. |
im.g.c | Create groups. |
im.g.d | Delete groups. |
im.g.r | Read groups. |
im.g.u | Update groups. |
im.ug.c | Create user groups (here: sub-tenants). |
im.ug.d | Delete user groups (here: sub-tenants). |
im.ug.r | Read user groups (here: sub-tenants). |
im.usr.c | Create users. |
im.usr.d | Delete users. |
im.usr.me | Read your own user details. |
im.usr.r | Read users. |
im.usr.u | Update users. |
mdsp:core:im.userIamViewer
¶
This role grants read-only access to a tenant's user IAM system.
Scope | Description |
---|---|
im.g.r | Read groups. |
im.ug.r | Read user groups (here: sub-tenants). |
Integrated Data Lake¶
Definition of roles and permissions for the Integrated Data Lake.
mdsp:core:dl.dsUser
¶
This role grants read, write and delete access to the Integrated Data Lake API, comprising data object, event and time series import operations.
Scope | Description |
---|---|
dl.ds.r | Read data staging. |
dl.ds.w | Write data staging. |
dl.ds.d | Delete data staging. |
dl.da.r | Read data access. |
dl.dat.r | Read data access token. |
dl.de.r | Read event subscription. |
dl.de.w | Create an event subscription. |
dl.de.d | Delete the event subscription. |
dl.tsi.w | Create a time series import. |
dl.tsi.d | Delete time series import jobs. |
dl.tsi.r | Read time series imports. |
mdsp:core:dl.dsAdmin
¶
This role grants full administrative access to the Integrated Data Lake API, including cross-account operations.
Scope | Description |
---|---|
dl.ds.r | Read data staging. |
dl.ds.w | Write data staging. |
dl.ds.d | Delete data staging. |
dl.da.r | Read data access. |
dl.da.d | Delete data access. |
dl.dat.r | Read data access token. |
dl.de.r | Read event subscription. |
dl.de.w | Create an event subscription. |
dl.de.d | Delete the event subscription. |
dl.tsi.w | Create a time series import. |
dl.da.w | Create a cross account. |
dl.tsi.d | Delete time series import jobs. |
dl.tsi.r | Read time series imports. |
dl.dat.w | Enable data access token permission. |
dl.dat.d | Delete data access token permission. |
mdsp:core:idlmanager.readuser
¶
This role grants read-only access to the Integrated Data Lake API.
Scope | Description |
---|---|
dl.ds.r | Read data staging. |
dl.da.r | Read data access. |
dl.dat.r | Read data access token. |
dl.de.r | Read event subscription. |
dl.tsi.r | Read time series imports. |
IoT File Service¶
Definition of roles and permissions for the IoT File Service.
mdsp:core:iot.filAdmin
¶
This role grants read, write and delete access to files.
Scope | Description |
---|---|
iot.fil.d | Delete file. |
iot.fil.r | Read file. |
iot.fil.w | Write file. |
mdsp:core:iot.filUser
¶
This role grants read-only access to files.
Scope | Description |
---|---|
iot.fil.r | Read file. |
IoT Time Series¶
Definition of roles and permissions for the IoT Time Series Services.
mdsp:core:iot.timAdmin
¶
This role grants read, write and delete access to time series.
Scope | Description |
---|---|
iot.tim.d | Delete time series. |
iot.tim.r | Read time series. |
iot.tim.w | Write a time series. |
mdsp:core:iot.timUser
¶
This role grants read-only access to time series.
Scope | Description |
---|---|
iot.tim.r | Read time series. |
iot.bts.r | Read bulk time series. |
IoT Time Series Bulk Service¶
Definition of roles and permissions for the IoT Time Series Bulk Services.
mdsp:core:iot.bulkTimUser
¶
This role grants access to read bulk time series data and fetch the job status of bulk ingest jobs.
Scope | Description |
---|---|
iot.bts.r | Read bulk time series. |
mdsp:core:iot.bulkTimAdmin
¶
This role grants access to submitting bulk ingest jobs, reading bulk time series data and fetching the job status of bulk ingest jobs.
Scope | Description |
---|---|
iot.bi.r | Read bulk time series job status. |
iot.bi.w | Write a bulk time series for job processing. |
iot.bts.r | Read bulk time series. |
iot.sds.marker | Verify tenant admin during SDS validation. |
IoT Time Series Aggregates¶
Definition of roles and permissions for IoT Time Series Aggregates API roles.
mdsp:core:iot.tsaUser
¶
This role grants access to time series aggregates.
Scope | Description |
---|---|
iot.tsa.r | Read time series aggregations. |
Job Manager Service¶
Definition of roles and permissions for Job Manager Service.
mdsp:core:jobmgr.user
¶
Scope | Description |
---|---|
prl.jm.e | Execute, start, stop or schedule jobs in the Job Manager API. |
prl.jm.h | Query the history of executions in the Job Manager API. |
MindConnect API¶
Definition of roles and permissions for the MindConnect API.
mdsp:core:mindconnect.fullaccess
¶
This role grants read and write access to the MindConnect APIs.
Scope | Description |
---|---|
da.c | Create diagnostic activation. |
da.d | Delete diagnostic activation. |
da.r | Read diagnostic activation information. |
di.r | Read the diagnostic data. |
da.m.r | Read one or all diagnostic messages of a specific activation resource. |
map.c | Create mapping. |
map.d | Delete a mapping. |
map.r | Read a mapping. |
rec.c | Replay the recoverable record. |
rec.r | Read the recoverable record. |
rec.d | Delete the recoverable record. |
evt.map.c | Create event mapping. |
evt.map.r | Read the event mapping. |
evt.map.u | Update the event mapping. |
evt.map.d | Delete the event mapping. |
mdsp:core:mindconnect.readonly
¶
This role grants read-only access to the Agent Management APIs.
Scope | Description |
---|---|
da.r | Read diagnostic activation information. |
di.r | Read the diagnostic data. |
da.m.r | Read one or all diagnostic messages of a specific activation resource. |
map.r | Read a mapping. |
rec.r | Read the recoverable record. |
evt.map.r | Read the event mapping. |
Native MQTT API (Deprecated)¶
Caution
The native MQTT API is deprecated. It is recommended to use the MindConnect MQTT API instead.
Definition of roles and permissions for the Native MQTT API.
mdsp:core:nativemqtt.fullaccess
¶
This role grants read and write access to the Native MQTT API.
Scope | Description |
---|---|
nmq.c.c | Upload a CA certificate. |
nmq.c.r | Read the CA certificate and registration code. |
nmq.c.d | Delete a CA certificate. |
nmq.t.r | Read configuration. |
mdsp:core:nativemqtt.readonly
¶
This role grants read-only access to the Native MQTT API.
Scope | Description |
---|---|
nmq.c.r | Read the CA certificate and registration code. |
MindConnect MQTT API¶
Definition of roles and permissions for the MindConnect MQTT API.
mdsp:core:mindconnectmqtt.fullaccess
¶
This role grants read and write access to the MindConnect MQTT API.
Scope | Description |
---|---|
mcmq.c.c | Upload a CA certificate. |
mcmq.c.r | Read the CA certificate and registration code. |
mcmq.c.d | Delete a CA certificate. |
mcmq.t.r | Read configuration. |
mdsp:core:mindconnectmqtt.readonly
¶
This role grants read-only access to the MindConnect MQTT API.
Scope | Description |
---|---|
mcmq.c.r | Read the CA certificate and registration code. |
Commanding API¶
Definition of roles and permissions for the Commanding API.
mdsp:core:msg.fullaccess
¶
This role grants read and write access to the Commanding APIs.
Scope | Description |
---|---|
agm.r | Read agent resources. |
asm.r | Read assets. |
msg.c | Create message job resources. |
msg.r | Read job message resources. |
msg.u | Update job message resources. |
msg.d | Delete job message resources. |
msg.pub | Publish messages to mqtt clients. |
mdsp:core:msg.readonly
¶
This role grants read-only access to the Commanding APIs.
Scope | Description |
---|---|
msg.r | Read job message resources. |
mdsp:core:msg.defaultagent
¶
The internal role grants read and acknowledge access to the Commanding APIs for the default agent.
Scope | Description |
---|---|
msa.ack | Acknowledge agent message resources. |
msa.r | Read agent message resources. |
Model Management Service¶
This role grants users access to the Model Management APIs.
mdsp:core:amm.user
¶
Scope | Description |
---|---|
plr.amm.c | Create a model. |
plr.amm.r | Read a model. |
plr.amm.u | Update a model. |
plr.amm.d | Delete a model. |
Notification Service¶
Definition of roles and permissions for the Notification Service.
Note
Roles and scopes for the Notification Service are implicitly available to operator and developer tenants. Refer to the Notification Service.
mdsp:core:nose.mobileappuser
¶
This role grants access to perform operations on mobile application instances.
Scope | Description |
---|---|
nose.ai.r | Read access on mobile application instance entities. |
nose.ai.w | Write access on mobile application instance entities. |
Rules¶
Definition of roles and permissions for the Rules Service.
mdsp:core:oi.creator
¶
Scope | Description |
---|---|
rules.r | Read rules. |
rules.c | Create rules. |
rules.u | Update rules. |
rules.d | Delete rules. |
mdsp:core:oi.viewer
¶
Scope | Description |
---|---|
rules.r | Read rules. |
Data Contextualization¶
Definition of roles and permissions for the Data Contextualization Service.
mdsp:core:sdi.admin
¶
This role grants all (read and write) access and administrative access to Data Contextualization APIs.
Scope | Description |
---|---|
sdi.reg.r | Read data registry information. |
sdi.reg.w | Create or update data registry information. |
sdi.reg.d | Delete data registry information. |
sdi.dip.w | Start the data ingest process. |
sdi.dip.r | Read the job status for the data ingest process. |
sdi.dqp.r | Read the data query result. |
sdi.dqp.w | Create a data query. |
sdi.dqp.x | Execute a data query. |
sdi.dqp.d | Delete a data query. |
sdi.dqp.e | Create or get query execution jobs. |
sdi.smd.w | Create a semantic data model. |
sdi.smd.r | Read a semantic data model. |
sdi.smd.d | Delete a semantic data model. |
mdsp:core:sdi.enduser
¶
This role grants end-user query access to SDI APIs.
Scope | Description |
---|---|
sdi.dqp.r | Read data query result. |
sdi.dqp.x | Execute a data query. |
sdi.dqp.e | Create or get query execution jobs. |
mdsp:core:sdi.semanticuser
¶
This role grants access to semantic models and semantic core SDI APIs.
Scope | Description |
---|---|
sdi.smd.w | Create a semantic data model |
sdi.smd.r | Read a semantic data model |
sdi.smd.d | Delete a semantic data model |
sdi.dqp.e | Create or get query execution jobs |
Spectrum Analysis Service¶
Definition of roles and permissions for the Spectrum Analysis service.
mdsp:core:spectrumanalysis.fft.user
¶
This is the base role for using the Spectrum Analysis service.
Scope | Description |
---|---|
as.sa.fft | Use the Spectrum Analysis API. |
Tenant Management Service¶
Definition of roles and permissions for the Tenant Management Service.
mdsp:core:tm.tenantAdmin
¶
This role grants full administrative access to the respective tenant.
Scope | Description |
---|---|
tm.li.c | Create legal information. |
tm.li.d | Delete legal information. |
tm.li.r | Read legal information. |
tm.li.u | Update legal information. |
tm.st.c | Create subtenants. |
tm.st.d | Delete subtenants. |
tm.st.r | Read subtenants. |
tm.st.u | Update subtenant. |
mdsp:core:tm.tenantUser
¶
This role grants permissions for standard tenant users.
Usage Transparency Service¶
Definition of roles and permissions for the Usage Transparency Service.
mdsp:core:uts.analyst
¶
This role allows tenants to see usage data.
Scope | Description |
---|---|
uts.qi | Access to quota information. |
uts.rc | Access to the report console. |
uts.ri | Access to request usage information. |
uts.su | Access to send usage information. |
Resource Access Management Service¶
Definition of roles and permissions for the Resource Access Management Service.
mdsp:core:ram.papAdmin
¶
This role grants admin access to the Resource Access Management (RAM) Policy Administration API for managing policies, roles and policy assignments.
Scope | Description |
---|---|
ram.p.c | Create policies. |
ram.p.r | View policies. |
ram.p.u | Update policies. |
ram.p.d | Delete policies. |
mdsp:core:ram.papViewer
¶
This role grants read-only access to the Resource Access Management (RAM) Policy Administration API.
Scope | Description |
---|---|
ram.p.r | View policies. |
Case Management Service¶
Definition of roles and permissions for the Case Management Service.
mdsp:core:oi.wom.creator
¶
This role allows for the creation of cases.
This is by default part of mdsp:core:TenantAdmin
, mdsp:core:StandardUser
, mdsp:core:oi.creator
and mdsp:core:Admin3rdPartyTechUser
.
Scope | Description |
---|---|
oi.wom.c | Create Case Management resources. |
oi.wom.r | Read Case Management resources. |
oi.wom.u | Update Case Management resources. |
oi.wom.d | Delete Case Management resources. |
mdsp:core:oi.wom.viewer
¶
This role allows viewing of cases.
Scope | Description |
---|---|
oi.wom.r | Read Case Management resources. |
oi.wom.u | Update Case Management resources assigned to the user. |
oi.wom.d | Delete Case Management resources. |
Except where otherwise noted, content on this site is licensed under the Development License Agreement.