Management of Roles and Scopes

Scopes: A scope is the smallest entity that describes a single permission.

Roles: A role is a collection of multiple scopes (permissions) that can be assigned to a user or another role.

Every application in MindSphere requires at least one application specific role and permission. Additionally, if you want to use MindSphere APIs you need to add one or more API specific roles to your application roles.

The API applications can be accessible to standard, Fleet Manager plugin and mobile applications only when third party API roles are provided to the standard application.

The assigned rights are application specific scopes (permissions). These rights are accessible only to certain MindSphere APIs. Some of the examples include:

  • Read access only.

  • Write access only.

  • Asset management files.

  • Access to certain files, etc.

The scopes can be assigned to one or more default application roles.

You can find those API specific roles in the Developer Documentation with detailed descriptions and all available scopes.

The following roles are available for every application:

  • TenantAdmin: The one who has all the administrative privileges. The privileges include creating new assets, deleting time series data, and developing application configurations.

  • Standarduser: The one who uses the application. The user will not be able to delete asset or access certain application specific endpoints, that are managed by the administrator.

Additional information

  • Every application specific scope is automatically prefixed with the application name.

  • Every role can be found in MindSphere component "Settings" with the following scheme: mdsp:<tenantname>:<application>.<role>