Managing User Groups and Permissions
You can control access to entities (e.g., Cloud Actions, Edge Actions, Octave edge devices, and Streams for the users in your company by assigning users to certain user groups. This topic describes how to define those groups.
Octave includes built-in Administrators and Users groups and these groups have following properties:
- The Administrators group grants read and write permissions to all entities in Octave.
- All users are automatically included in the Users group and cannot be removed from that group.
- The Users group permissions can be edited. This can be used as a way to set common permissions to all company members. Before inviting users, make sure you grant the Users group the rights you want all users to have by default
Defining API Level Rrights for a User/Master Token
The permissions granted to a user apply to the user's API Master Token and therefore control both UI and API usage.
Configuring a Group
Follow the steps below to configure a group:
- Navigate to Manage > Groups.
- Click New Group to create a new group or click the edit button on the existing group to configure it; the Groups screen is displayed:
The main elements of the Groups screen are:
- Group Name: the name of the group.
The name of Octave's built-in Administrators and Users groups cannot be modified.
- Temporary Permissions: enable this field so that the permissions defined in this group are only available temporarily. The duration of these permissions can then be set as described in the next point. When temporary permissions are set, the group name will be prefixed with Temporary:
- Temporary Permissions Duration: when Temporary Permissions is enabled you can then define the duration as:
- Relative: the amount of time the permissions are available starting from when you save the group.
- Absolute: an exact day and time in the future when the permissions are to expire.
- Creation and Update dates: indicates when the group was created and last updated.
- Entities Tab: defines the read/write permissions for the various entities in Octave.
- Devices Tab: specifies which devices or Tags can be accessed and defines the types of access allowed to the entities (Read, Write, Event read, and Event write). A Tag-based permission sets the permissions to all devices belonging to that Tag. You can specify permissions for a device or Tag by selecting the respective radio button from the entity dropdown:
- Streams Tab: specifies which Streams can be accessed and defines the types of access allowed to the Streams (Read, Write, Event read, and Event write). Streams inherit permissions from their parent Stream and cannot have less permissions than their parents. In the following screenshot, devices mangoh_d2 and mangoh_s4 both inherit the read and event read permissions from their parent group. In this case, those permissions cannot be disabled per device.
- A general rule is to grant the Read permission to an entity type, device, or Stream if the "Write" permission is/has also been granted. Otherwise, your group members won't be able to see the entity to be updated.
- Granting read access to a device Stream (e.g., "/COMPANY/devices/DEVICE") grants read access to the device object as well. As a result, the Devices tab only lists permissions given to device Streams, and to Tags.
- The "event read/write" permissions of a specific device/Stream grant access to the Events of that Stream.
- Permissions: defines the read/write permissions for the currently selected tab.
Updated about 2 years ago