Google Git
Sign in
eclipse / gerrit / www.eclipse.org / kapua / ac2a675355258a74d2681db27561f263e978cd96 / . / docs / 1.3.0 / user-manual / Permissions.html
blob: e9d57faa1afd19e6c766eaf28c893e0e473f5d97 [file] [log] [blame]
<!DOCTYPE HTML>
<html lang="" >
<head>
<meta charset="UTF-8">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<title>Kapua Permissions · Eclipse Kapua™ User Guide</title>
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="description" content="">
<meta name="generator" content="GitBook 3.2.2">
<link rel="stylesheet" href="gitbook/style.css">
<link rel="stylesheet" href="gitbook/gitbook-plugin-highlight/website.css">
<link rel="stylesheet" href="gitbook/gitbook-plugin-search/search.css">
<link rel="stylesheet" href="gitbook/gitbook-plugin-fontsettings/website.css">
<meta name="HandheldFriendly" content="true"/>
<meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-status-bar-style" content="black">
<link rel="apple-touch-icon-precomposed" sizes="152x152" href="gitbook/images/apple-touch-icon-precomposed-152.png">
<link rel="shortcut icon" href="gitbook/images/favicon.ico" type="image/x-icon">
<link rel="next" href="mfa.html" />
<link rel="prev" href="jwt_security.html" />
</head>
<body>
<div class="book">
<div class="book-summary">
<div id="book-search-input" role="search">
<input type="text" placeholder="Type to search" />
</div>
<nav role="navigation">
<ul class="summary">
<li class="chapter " data-level="1.1" data-path="./">
<a href="./">
Introduction
</a>
</li>
<li class="chapter " data-level="1.2" data-path="rest.html">
<a href="rest.html">
REST API
</a>
</li>
<li class="chapter " data-level="1.3" data-path="community.html">
<a href="community.html">
Community
</a>
</li>
<li class="chapter " data-level="1.4" data-path="simulator.html">
<a href="simulator.html">
Simulator
</a>
</li>
<li class="chapter " data-level="1.5" data-path="jwt_security.html">
<a href="jwt_security.html">
Setup JWT security
</a>
</li>
<li class="chapter active" data-level="1.6" data-path="Permissions.html">
<a href="Permissions.html">
Kapua Permissions
</a>
</li>
<li class="chapter " data-level="1.7" data-path="mfa.html">
<a href="mfa.html">
Multi Factor Authentication
</a>
</li>
<li class="chapter " data-level="1.8" data-path="credentials.html">
<a href="credentials.html">
Credentials
</a>
</li>
<li class="divider"></li>
<li>
<a href="https://www.gitbook.com" target="blank" class="gitbook-link">
Published with GitBook
</a>
</li>
</ul>
</nav>
</div>
<div class="book-body">
<div class="body-inner">
<div class="book-header" role="navigation">
<!-- Title -->
<h1>
<i class="fa fa-circle-o-notch fa-spin"></i>
<a href="." >Kapua Permissions</a>
</h1>
</div>
<div class="page-wrapper" tabindex="-1" role="main">
<div class="page-inner">
<div id="book-search-results">
<div class="search-noresults">
<section class="normal markdown-section">
<h1 id="kapua-permissions-explained">Kapua Permissions Explained</h1>
<p>Kapua has a lot of different permissions for various purposes, all of which can be mixed to get different combinations for different users and purposes - this naturally adds complexity to them but also opens a world of possibilities. This way we can have users that can see and edit Devices but cannot delete them or users that can only see Tags or Roles with &quot;Permissions&quot; tab...</p>
<p>This document was created because adding, editing and using permissions in Kapua can be rather difficult some times, so end users like you will not waste time with searching and debugging which permission(s) is/are needed for certain operation but will rather focus on the primary task itself.</p>
<p>Below there is a description for every service/grid in Kapua and which permissions need to be granted in order to see certain tabs or to enable certain buttons or features. For most of them the process and logic are pretty straightforward but some of them must be &quot;studied&quot; a bit in detail.</p>
<h2 id="forwardable-permissions">Forwardable Permissions</h2>
<p>But before we dive into Kapua&apos;s permissions we have to mention one important thing that can be more confusing than others - so called <strong><strong>Forwardable</strong></strong> option in permissions.</p>
<p><strong><strong>Forwardable</strong></strong> permission is a link between a parent account and child account; It enables parent account to edit child account&apos;s settings, view its Users... In short, this permission can limit certain user to viewing users only in his &quot;scope&quot;. The best way to explain this is through an example.
Imagine you have account named <strong>account0</strong> and in this account you have the following users:</p>
<ul>
<li><strong>user0</strong> (permissions: <em><strong>Account:Read</strong></em>, <em><strong>Account:Write</strong></em>, <em><strong>User:Read</strong></em> - forwardable set to False)</li>
<li><strong>user1</strong> (permissions: <em><strong>Account:Read</strong></em>, <em><strong>Account:Write</strong></em>, <em><strong>User:Read</strong></em> - forwardable set to True)</li>
</ul>
<p>Create a child account within <strong>account0</strong> named <strong>account0_1</strong>. Now login as <strong>user0</strong> and go to <strong>Child Accounts</strong> view - try to see a<strong>ccount0_1&apos;s</strong> <strong>Users</strong> - Kapua will return an error. This is because this user does not have <strong>Forwardable</strong> option on <strong>User</strong> permission set to true and thus user cannot see <strong>Child Account&apos;s</strong> users. Same thing happens if you navigate to upper right corner where the <strong><strong>[username]@[account name]</strong></strong> button is, you click <strong>Switch to Account...</strong>, select <strong>account0_1</strong> and then navigate through the GUI - Kapua will start reporting errors that you do not have proper permissions to do this.</p>
<p>Same thing happens with <strong>Account:Write</strong> permission - if this user tries to change account&apos;s parameters, Kapua will return an error saying that user does not have proper permissions, which is again OK, since user&apos;s <strong><em>Account:Write</em></strong> permission is not <strong><em>Forwardable</em></strong>. This may be a bit odd for you, but we will talk more about this in a moment.</p>
<p>If you now login as <strong>user1</strong>, there will not be such problems, since all the permissions are forwardable - as user1 you will be able to see all of the child account&apos;s settings and also all of the users and their parameters.</p>
<p>If we now take a deeper dive into this, you can see, that <strong><em>Forwardable</em></strong> permission opens several options - you can <em>close</em> user in his so called <strong><em>scope</em></strong> - so he can only see his account and his users, but if he also has <strong><em>Forwardable</em></strong> permission, he can also see Users in Child Accounts and all of their settings.
This is also explained in <strong><strong>Child Accounts</strong></strong> section of this text.</p>
<p>In this document only specific permissions and permission mix will be described, simple <strong><em>Read/Write/Delete</em></strong> permissions will be skipped if their functionalities are straightforward - but if you still have any questions after reading this document, please post a question/issue on Github or join us on one of community meetings!</p>
<h2 id="welcome-and-about">Welcome and About</h2>
<p><strong><strong>Welcome</strong></strong> and <strong><strong>About</strong></strong> are used to show some basic information about Kapua. These two tabs are enabled by default, so user can always see and use them (even if the user has no permissions). User can also always change its password (upper right corner).</p>
<h2 id="connections">Connections</h2>
<p><strong><strong>Connections</strong></strong> in Kapua are one of the special items in Main menu grid. Because user cannot add or delete connections (that can only <strong>Broker</strong> do), user can only edit parameters of certain connection (that is why table bellow does not describe how to enable <strong><strong>Add</strong></strong> or <strong><strong>Delete</strong></strong> buttons).</p>
<p>Connections view is also closely related to <strong><strong>Users</strong></strong> in Kapua - connections can be connected/reserved to/for a certain user only (<strong><strong>Reserved User</strong></strong> and <strong><strong>Allow user Change</strong></strong> options) or can be <strong>open</strong> to all users. Because of this, Connections view has two &quot;User&quot; filter options - <strong>Reserved User</strong> and <strong>Last User</strong> which are enabled only if user has <strong><em>User:Read</em></strong> permission - otherwise these filter options are not available.</p>
<table>
<thead>
<tr>
<th>Feature</th>
<th>Needed Permissions</th>
<th>Forwardable</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>See Connections tab in main menu</strong></td>
<td>Device_connection:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong>Edit</strong> button</td>
<td>Device_connection:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Refresh</em></strong> button in Connections</td>
<td>Device_connection:Read Device_connection:Write</td>
<td>No</td>
</tr>
<tr>
<td>See <strong><em>Reserved User</em></strong> option</td>
<td>Device_connection:Read Device_connection:Write User:Read</td>
<td>No</td>
</tr>
<tr>
<td>See <strong><em>Allow User Change</em></strong> option</td>
<td>Device_connection:Read Device_connection:Write User:Read</td>
<td>No</td>
</tr>
<tr>
<td>See <strong><em>Last User</em></strong> filter option</td>
<td>Device_connection:Read Device_connection:Write User:Read</td>
<td>No</td>
</tr>
<tr>
<td>See <strong><em>Reserved User</em></strong> filter option</td>
<td>Device_connection:Read Device_connection:Write User:Read</td>
<td>No</td>
</tr>
</tbody>
</table>
<h2 id="devices">Devices</h2>
<p>Kapua is a device management software and therefore it is logical that we have <strong><strong>Device</strong></strong> view. With it, we can monitor the device&apos;s condition, status and many other things. If user has <strong>Command</strong> permissions, we can even send some simple commands to it remotely or reboot it, if necessary.
<strong><strong>Devices</strong></strong> view is the most complex view in Kapua, since it has more than 10 tabs and subtabs all of which need some special permissions for viewing/editing.
If user has only <em><strong>Device:Read</strong></em> permission, the <strong>Description</strong> tab will be enabled and user will be able to see all the info of a certain device (if there are any, since user cannot add devices without <strong><em>Device:Write</em></strong> permission). <strong><strong>Export to CSV</strong></strong> button and refresh button are also enabled (even if there are no devices in the list).</p>
<p>One of the specialities is in <strong>Tags</strong> tab - user needs <strong><em>Device:Write</em></strong> permission to be able to add and delete tags and not <strong><em>Device:Delete</em></strong> or <strong><em>Tag:Write/Delete</em></strong> since there permissions are used for deleting devices and editing/deleting tags respectively.</p>
<p>Other buttons/features do no require any special permissions as you can see from the table bellow.</p>
<table>
<thead>
<tr>
<th>Feature</th>
<th>Needed Permissions</th>
<th>Forwardable</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>See Devices tab in main menu</strong></td>
<td>Device:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Refresh</em></strong> button</td>
<td>Device:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Export to CSV</em></strong> button</td>
<td>Device:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Add</em></strong> button</td>
<td>Device:Read Device:Write</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Access Group</em></strong> option in <strong>Add</strong> window</td>
<td>Device:Read Device:Write Group:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Edit</em></strong> button</td>
<td>Device:Read Device:Write</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Access Group</em></strong> option in <strong>Edit</strong> window</td>
<td>Device:Read Device:Write Group:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Delete</em></strong> button</td>
<td>Device:Read Device:Delete</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Group</em></strong> option in filter menu</td>
<td>Device:Read Group:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Tag</em></strong> option in filter menu</td>
<td>Device:Read Tag:Read</td>
<td>No</td>
</tr>
<tr>
<td><strong>TAG TAB</strong></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Enabled <strong><em>Tag</em></strong> tab</td>
<td>Device:Read Tag:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Refresh</em></strong> button in <strong>Tag</strong> tab</td>
<td>Device:Read Tag:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Apply</em></strong> button in <strong>Tag</strong> tab</td>
<td>Device:Read Device:Write Tag:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Remove</em></strong> button in <strong>Tag</strong> tab</td>
<td>Device:Read Device:Write Tag:Read</td>
<td>No</td>
</tr>
<tr>
<td><strong>EVENTS TAB</strong></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Enabled <strong><em>Events</em></strong> tab</td>
<td>Device:Read Device_event:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Refresh</em></strong> button in <strong>Events</strong> tab</td>
<td>Device:Read Device_event:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Export to CSV</em></strong> button in &quot;Events&quot; tab</td>
<td>Device:Read Device_event:Read</td>
<td>No</td>
</tr>
<tr>
<td><strong>PACKAGES TAB</strong></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Enabled <strong><em>Packages</em></strong> tab (<strong>Installed</strong> and <strong>In Progress</strong> subtabs)</td>
<td>Device:Read Device_management:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Refresh</em></strong> button in <strong>Packages</strong> tab</td>
<td>Device:Read Device_management:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Install</em></strong> button in <strong>Packages</strong> tab</td>
<td>Device:Read Device_management:Read Device_management:Write</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Uninstall</em></strong> button in <strong>Packages</strong> tab</td>
<td>Device:Read Device_management:Read Device_management:Write</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>History</em></strong> subtab in <strong>Packages</strong> tab</td>
<td>Device:Read Device_management:Read Device_management-registry:Read</td>
<td>No</td>
</tr>
<tr>
<td><strong>BUNDLES TAB</strong></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Enabled <strong><em>Bundles</em></strong> tab</td>
<td>Device:Read Device_management:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Refresh</em></strong> button in <strong>Bundles</strong> tab</td>
<td>Device:Read Device_management:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Start</em></strong> button in <strong>Bundles</strong> tab</td>
<td>Device:Read Device_management:Read Device_management:Execute</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Stop</em></strong> button in <strong>Bundles</strong> tab</td>
<td>Device:Read Device_management:Read Device_management:Execute</td>
<td>No</td>
</tr>
<tr>
<td><strong>CONFIGURATION TAB</strong></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Enabled <strong><em>Configuration</em></strong> tab (<strong>Services</strong> and <strong>Snapshots</strong> subtabs)</td>
<td>Device:Read Device_management:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Refresh</em></strong> button in <strong>Configuration</strong> tab</td>
<td>Device:Read Device_management:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Save</em></strong> button in <strong>Configuration</strong> tab</td>
<td>Device:Read Device_management:Read Device_management:Write</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Discard</em></strong> button in <strong>Configuration</strong> tab</td>
<td>Device:Read Device_management:Read Device_management:Write</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Refresh</em></strong> button in <strong>Snapshots</strong> subtab</td>
<td>Device:Read Device_management:Read Device_management:Write</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Download</em></strong> button in <strong>Snapshots</strong> subtab</td>
<td>Device:Read Device_management:Read Device_management:Write</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Rollback to</em></strong> button in <strong>Snapshots</strong> subtab</td>
<td>Device:Read Device_management:Read Device_management:Write</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Upload And Apply</em></strong> button in <strong>Snapshots</strong> subtab</td>
<td>Device:Read Device_management:Read Device_management:Write</td>
<td>No</td>
</tr>
<tr>
<td><strong>COMMAND TAB</strong></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Enabled <strong><em>Command</em></strong> tab</td>
<td>Device:Read Device_management:Read Device_management:Execute</td>
<td>No</td>
</tr>
<tr>
<td><strong>ASSETS TAB</strong></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Enabled <strong><em>Assets</em></strong> tab</td>
<td>Device:Read Device_management:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Refresh</em></strong> button in <strong>Assets</strong> tab</td>
<td>Device:Read Device_management:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Save</em></strong> button in <strong>Assets</strong> tab</td>
<td>Device:Read Device_management:Read Device_management:Write</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Discard</em></strong> button in <strong>Assets</strong> tab</td>
<td>Device:Read Device_management:Read Device_management:Write</td>
<td>No</td>
</tr>
</tbody>
</table>
<h2 id="batch-jobs">Batch Jobs</h2>
<p>Another interesting and generally useful feature in Kapua are <strong>Jobs</strong>. User can start/stop bundles, write assets or configuration, download and install a package and lots more on remote devices - they can even be scheduled in advance! All in all it is a powerful tool for device management.</p>
<p>Everything you need to start working with Jobs is in bottom table - it is pretty straightforward. If in doubt, do not hesitate to ask us for more clarification.</p>
<table>
<thead>
<tr>
<th>Feature</th>
<th>Needed Permissions</th>
<th>Forwardable</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>See Batch Jobs tab in main menu</strong></td>
<td>Job:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Refresh</em></strong> button</td>
<td>Job:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Add</em></strong> button</td>
<td>Job:Read Job:Write</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Edit</em></strong> button</td>
<td>Job:Read Job:Write</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Delete</em></strong> button</td>
<td>Job:Read Job:Delete</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Start</em></strong> button</td>
<td>Job:Read Job:Execute</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Stop</em></strong> button</td>
<td>Job:Read Job:Execute</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Restart</em></strong> button</td>
<td>Job:Read Job:Execute</td>
<td>No</td>
</tr>
<tr>
<td><strong>TARGETS TAB</strong></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Enabled <strong><em>Targets</em></strong> tab</td>
<td>Job:Read Device:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Refresh</em></strong> button</td>
<td>Job:Read Device:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Add</em></strong> button</td>
<td>Job:Read Job:Write Device:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Delete</em></strong> button</td>
<td>Job:Read Job:Delete Device:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Start</em></strong> button</td>
<td>Job:Read Job:Execute Device:Read</td>
<td>No</td>
</tr>
<tr>
<td><strong>STEPS TAB</strong></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Enabled <strong><em>Steps</em></strong> tab</td>
<td>Job:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Refresh</em></strong> button</td>
<td>Job:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Add</em></strong> button</td>
<td>Job:Read Job:Write</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Edit</em></strong> button</td>
<td>Job:Read Job:Write</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Delete</em></strong> button</td>
<td>Job:Read Job:Delete</td>
<td>No</td>
</tr>
<tr>
<td><strong>SCHEDULES TAB</strong></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Enabled <strong><em>Refresh</em></strong> button</td>
<td>Job:Read Scheduler:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Add</em></strong> button</td>
<td>Job:Read Scheduler:Read Scheduler:Write</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Delete</em></strong> button</td>
<td>Job:Read Scheduler:Read Scheduler:Delete</td>
<td>No</td>
</tr>
<tr>
<td><strong>EXECUTIONS TAB</strong></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Enabled <strong><em>Refresh</em></strong> button</td>
<td>Job:Read</td>
</tr>
</tbody>
</table>
<h2 id="data">Data</h2>
<p>Data tab is one of the simplest tabs in Kapua which is used to see the data that is sent from devices. It literally needs only one permission for showing the Data tab and &quot;Device:Read&quot; permission to show two additional tabs (&quot;By Device&quot; and &quot;By Assets&quot;). Because user cannot write (or delete) data in kapua, there is no need (for now) for user to have &quot;Data:Write/Delete&quot; permissions.</p>
<table>
<thead>
<tr>
<th>Feature</th>
<th>Needed Permissions</th>
<th>Forwardable</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>See Data tab in main menu</strong></td>
<td>Datastore:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Refresh</em></strong> button</td>
<td>Datastore:Read</td>
<td>No</td>
</tr>
<tr>
<td><strong>&quot;BY DEVICE&quot; TAB</strong></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Enabled <strong><em>Refresh</em></strong> button</td>
<td>Device:Read Datastore:Read</td>
<td>No</td>
</tr>
<tr>
<td><strong>&quot;BY ASSET&quot; TAB</strong></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Enabled <strong><em>Refresh</em></strong> button</td>
<td>Device:Read Datastore:Read</td>
<td>No</td>
</tr>
</tbody>
</table>
<h2 id="tags">Tags</h2>
<p>Tags are interesting feature in Kapua, allowing user to tag certain devices with a specific tag for various purposes. This is different than grouping, since user can see all the devices regardless of their tags, but cannot see devices in ceratain groups if he has insufficient permissions (see <strong>Group</strong> option in permissions). Also device can have multiple tags but can be part of only one group.</p>
<p>Tags can be used to check devices that are in certain area or in certain state or anything similar. This gives end-user additional options over device management.
All the permissions are pretty straight forward and do not need any extra explanation.</p>
<table>
<thead>
<tr>
<th>Feature</th>
<th>Needed Permissions</th>
<th>Forwardable</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>See Tags tab in main menu</strong></td>
<td>Tag:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Refresh</em></strong> button</td>
<td>Tag:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Add</em></strong> button</td>
<td>Tag:Read Tag:Write</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Edit</em></strong> button</td>
<td>Tag:Read Tag:Write</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Delete</em></strong> button</td>
<td>Tag:Read Tag:Delete</td>
<td>No</td>
</tr>
<tr>
<td><strong>ASSIGNED DEVICES TAB</strong></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Enabled <strong><em>Assigned Devices</em></strong> tab</td>
<td>Tag:Read Device:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Refresh</em></strong> button</td>
<td>Tag:Read Device:Read</td>
<td>No</td>
</tr>
</tbody>
</table>
<h2 id="users">Users</h2>
<p>Users in Kapua are basis for everything - without user you cannot even login!
Nevertheless, let&apos;s take a closer look on some of the permissions. To see <strong><strong>Users</strong></strong> tab, end-user needs only <em><strong>User:Read</strong></em> permissions and nothing else. To edit and delete them, <em><strong>User:Write</strong></em> and <em><strong>User:Delete</strong></em> permissions are needed respectively.</p>
<p>For showing <strong><strong>Credentials</strong></strong> tab, user needs <em><strong>Credentials:Read</strong></em> permission (alongside with <em><strong>User:Read</strong></em>) and for editing/unlocking/deleting them <em><strong>Credentials:Write</strong></em> and <em><strong>Credentials:Delete</strong></em> respectively.</p>
<p><strong>Roles</strong> tab is a bit different. For <strong>Roles</strong> tab to be visible user needs <em><strong>User:Read</strong></em>, <em><strong>Role:Read</strong></em> and <em><strong>Access_info:Read</strong></em> permissions, but for <strong>Add</strong> and <strong>Revoke</strong> buttons to be enabled user also needs <strong><em>Access_info:Write/Delete</em></strong> (and not &quot;Role:Write/Delete&quot; &quot;- these are meant for adding, editing and deleting roles).</p>
<p>&quot;Permissions&quot; tab is again a bit different and deserves a bit more explanation then others. If user wants to see <strong>Permissions</strong> tab, <strong><em>&quot;Access_info:Read&quot;</em></strong>, <strong><em>&quot;User:Read&quot;</em></strong> and <strong><em>&quot;Domain:Read&quot;</em></strong> permissions are needed - do not forget on <strong><em>Domain:Read</em></strong> permission! But why?
If you look at &quot;Grant Permission&quot; window closely, you will see, that we have &quot;Domain&quot;, &quot;Action&quot;, &quot;Access Group&quot; and &quot;Forwardable&quot; options - and the first one, &quot;Domain&quot; has its own permission just for enabling this dropdown menu.
You can imagine &quot;Domain:Read&quot; permission as &quot;entry point&quot; for all other permissions and this is its only task. It has no other function in Kapua except this. This is also the reason why &quot;Domain:Write&quot; and &quot;Domain:Delete&quot; permissions are not needed - user needs Access_info:Write/Delete to grant and revoke permissions.</p>
<p>Word of caution: Be careful which permissions you grant to users, because if you grant them Access_info:Read/Write in combination with User:Read, they can start granting permissions themselves and therefore do things they are not supposed to.</p>
<table>
<thead>
<tr>
<th>Feature</th>
<th>Needed Permissions</th>
<th>Forwardable</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>See Users tab in main menu</strong></td>
<td>User:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Refresh</em></strong> button</td>
<td>User:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Add</em></strong> button</td>
<td>User:Read User:Write</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Edit</em></strong> button</td>
<td>User:Read User:Write</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Delete</em></strong> button</td>
<td>User:Read User:Delete</td>
<td>No</td>
</tr>
<tr>
<td>See <strong><em>Reserved for Connection</em></strong> option</td>
<td>User:Read Connection:Read Device:Read</td>
<td>No</td>
</tr>
<tr>
<td><strong>CREDENTIALS TAB</strong></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Enabled <strong><em>Credentials</em></strong> tab</td>
<td>User:Read Credential:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Refresh</em></strong> button</td>
<td>User:Read Credential:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Add</em></strong> button</td>
<td>User:Read Credential:Read Credential:Write</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Edit</em></strong> button</td>
<td>User:Read Credential:Read Credential:Write</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Delete</em></strong> button</td>
<td>User:Read Credential:Read Credential:Delete</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Unlock</em></strong> button</td>
<td>User:Read Credential:Read Credential:Write</td>
<td>No</td>
</tr>
<tr>
<td><strong>ROLES TAB</strong></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Enabled <strong><em>Roles</em></strong> tab</td>
<td>User:Read Role:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Refresh</em></strong> button</td>
<td>User:Read Role:Read Access_info:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Assign</em></strong> button</td>
<td>User:Read Role:Read Access_info:Read Access_info:Write</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Remove</em></strong> button</td>
<td>User:Read Role:Read Access_info:Read Access_info:Delete</td>
<td>No</td>
</tr>
<tr>
<td><strong>PERMISSIONS TAB</strong></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Enabled <strong><em>Permissions</em></strong> tab</td>
<td>User:Read Access_info:Read Domain:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Refresh</em></strong> button</td>
<td>User:Read Access_info:Read Domain:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Grant</em></strong> button</td>
<td>User:Read Access_info:Read Domain:Read Access_info:Write</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Revoke</em></strong> button</td>
<td>User:Read Access_info:Read Domain:Read Access_info:Delete</td>
<td>No</td>
</tr>
</tbody>
</table>
<h2 id="roles">Roles</h2>
<p>Roles are best to imagine as a &quot;set of permissions&quot;; User can add several permissions to a certain role and name it e.g. &quot;user_roles&quot; and this role can then be assigned to multiple users. End result is that this is much faster than adding every single role to every user - and it is also more elegant.</p>
<p>Roles have no special permission combinations, so user has to have Role:Read/Write/Delete permissions to see, edit and delete permissions and Access_info permissions in combination with Role permissions to see &quot;Permission&quot; tab.</p>
<p>If user wants to see which role is granted to which user, User:Read permission has to be added (see table bellow).</p>
<table>
<thead>
<tr>
<th>Feature</th>
<th>Needed Permissions</th>
<th>Forwardable</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>See Roles in main menu</strong></td>
<td>Role:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Refresh</em></strong> button</td>
<td>Role:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Add</em></strong> button</td>
<td>Role:Read Role:Write</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Edit</em></strong> button</td>
<td>Role:Read Role:Write</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Delete</em></strong> button</td>
<td>Role:Read Role:Delete</td>
<td>No</td>
</tr>
<tr>
<td><strong>PERMISSIONS TAB</strong></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Enabled <strong><em>Permissions</em></strong> tab</td>
<td>Role:Read Access_info:Read Domain:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Refresh</em></strong> button</td>
<td>Role:Read Access_info:Read Domain:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Add</em></strong> button</td>
<td>Role:Read Access_info:Read Role:Write Domain:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Delete</em></strong> button</td>
<td>Role:Read Access_info:Read Role:Delete Domain:Read</td>
<td>No</td>
</tr>
<tr>
<td><strong>GRANTED USERS TAB</strong></td>
<td></td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Granted Users</em></strong> tab</td>
<td>Role:Read User:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Refresh</em></strong> button</td>
<td>Role:Read User:Read</td>
<td>No</td>
</tr>
</tbody>
</table>
<h2 id="access-groups">Access Groups</h2>
<p>Access Groups have similar purpose in Kapua as Tags but with one important difference - every device can be part only of one group, whereas number of tags is not limited. This adds additional options in Kapua - it may seem obsolete but if there are hundreds of devices, every &quot;sorting&quot; feature like this comes in handy.</p>
<p>There are no special permissions needed for showing Access Groups item in the main menu - user only needs Access_group:Read/Write/Delete permissions and optional Device:Read for viewing &quot;Assigned Devices&quot; tab.</p>
<table>
<thead>
<tr>
<th>Feature</th>
<th>Needed Permissions</th>
<th>Forwardable</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>See Access Groups in main menu</strong></td>
<td>Group:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Refresh</em></strong> button</td>
<td>Group:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Add</em></strong> button</td>
<td>Group:Read Group:Write</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Edit</em></strong> button</td>
<td>Group:Read Group:Write</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Delete</em></strong> button</td>
<td>Group:Read Group:Delete</td>
<td>No</td>
</tr>
<tr>
<td><strong>ASSIGNED DEVICES TAB</strong></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Enabled <strong><em>Assigned Devices</em></strong> tab</td>
<td>Group:Read Device:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Refresh</em></strong> button</td>
<td>Group:Read Device:Read</td>
<td>No</td>
</tr>
</tbody>
</table>
<h2 id="child-accounts">Child Accounts</h2>
<p>Child Accounts are the basis for &quot;extending&quot; Kapua an its functionalities. Just as &quot;Users&quot; can &quot;expand&quot; Kapua &quot;horizontally&quot; (creating multiple users in one account), accounts can do this &quot;vertically&quot; - every account (if its parameters permit this) can have their own child accounts and so on. This way we get a lot of smaller entities/accounts with users that have specific permissions for performing small number of specific tasks or basically anything else.</p>
<p>Here also so called &quot;Forwardable&quot; permissions comes into play - in &quot;Users&quot; tab to be exact. <strong>Account:Read/Write/Delete</strong> permissions are pretty straight forward, but if user wants to see and use &quot;User&quot; tab, forwardable permission has to be set to True (e.g. <strong>User:Read:ALL:YES</strong>), otherwise Kapua will return an error that user needs additional permissions.</p>
<p>&quot;Forwardable&quot; permission is also important if user wants to see and edit Services in Child Accounts -&gt; Account Settings. If &quot;Forwardable&quot; is not set to True, user will not be able to set these parameters for child accounts (but will be able to see them in main menu on the left).</p>
<table>
<thead>
<tr>
<th>Feature</th>
<th>Needed Permissions</th>
<th>Forwardable</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>See Child Accounts in main menu</strong></td>
<td>Account:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Refresh</em></strong> button</td>
<td>Account:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Add</em></strong> button</td>
<td>Account:Read Account:Write</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Edit</em></strong> button</td>
<td>Account:Read Account:Write</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Delete</em></strong> button</td>
<td>Account:Read Account:Delete</td>
<td>No</td>
</tr>
<tr>
<td><strong>USERS TAB</strong></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Enabled <strong><em>Refresh</em></strong> button</td>
<td>Account:Read User:Read</td>
<td>Yes (User:Read)</td>
</tr>
<tr>
<td>Enabled <strong><em>Add</em></strong> button</td>
<td>Account:Read User:Read User:Write</td>
<td>Yes (User:Read/Write)</td>
</tr>
<tr>
<td>Enabled <strong><em>Edit</em></strong> button</td>
<td>Account:Read User:Read User:Write</td>
<td>Yes (User:Read/Write)</td>
</tr>
<tr>
<td>Enabled <strong><em>Delete</em></strong> button</td>
<td>Account:Read User:Read User:Delete</td>
<td>Yes (User:Read/Write)</td>
</tr>
</tbody>
</table>
<h2 id="endpoints">Endpoints</h2>
<p>Endpoints are a special feature, that does not behave like a &quot;ordinary&quot; Main menu item (such as Roles, Groups, Users...) - except for kapua-sys user that has full read/write/delete access, other users cannot see this item on the left. Although certain users have <em><strong>Endpoint:Read/Write/Delete</strong></em> permissions, this item will not be visible.
Instead the added endpoints will be visible in <strong>Settings -&gt; Deployment Info</strong> (under the Account Information), if user has <em><strong>Endpoint:Read</strong></em> permission. As in Connections, <em><strong>Endpoint:Write/Delete</strong></em> permissions are not used here.</p>
<p>We should also mention one special feature of Endpoints - if you create new endpoints in a child account, they are not added to old ones, but instead are used as a new &quot;root&quot;. Example: If we have three endpoints (e.g. eth1/eth1/123, eth2/eth2/123, eth3/eth3/123) in kapua-sys account and we create one new endpoint in kapua-sys&apos;s child account &quot;account0&quot; (e.g. eclipse0/eclipse0/123), the three old ones &quot;disappear from the list and only the last one is visible - all other child accounts created from account0 also see only &quot;eclipse0/eclipse0/123&quot; endpoint, until new ones are created in their scope.
If all the endpoints in certain child account are deleted, endpoints from parent account are shown as these are now the new &quot;root&quot; endpoints.</p>
<table>
<thead>
<tr>
<th>Feature</th>
<th>Needed Permissions</th>
<th>Forwardable</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>See Endpoints in main menu</strong></td>
<td>/</td>
<td>/</td>
</tr>
<tr>
<td>See Endpoints in Settings</td>
<td>Account:Read Endpoints:Read</td>
<td>No</td>
</tr>
</tbody>
</table>
<h2 id="settings">Settings</h2>
<p>If user has <strong>Account</strong> permissions, <strong>Settings</strong> tab is enabled in Main menu, which enables user to see account&apos;s settings (so called &quot;infiniteChildItem&quot; and &quot;MaxNumberChildItem&quot; parameters). This is particularly useful if user encounters errors while creating/editing/deleting items; Unfortunately these settings cannot be changed, as this can only parent user/account do.</p>
<p>As stated, Settings view is part of <strong>Account</strong> permissions - so this item is visible is user has <em><strong>Accoount:Read</strong></em> permission. There are no special features for this view; user needs <em><strong>Account:Write</strong></em> permission (<em><strong>Forwardable</strong></em> can be set to False) if <strong>Edit</strong> button should be enabled.</p>
<table>
<thead>
<tr>
<th>Feature</th>
<th>Needed Permissions</th>
<th>Forwardable</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>See Settings in main menu</strong></td>
<td>Account:Read</td>
<td>No</td>
</tr>
<tr>
<td>Enabled <strong><em>Edit</em></strong> button</td>
<td>Account:Read Account:Write</td>
<td>No</td>
</tr>
</tbody>
</table>
</section>
</div>
<div class="search-results">
<div class="has-results">
<h1 class="search-results-title"><span class='search-results-count'></span> results matching "<span class='search-query'></span>"</h1>
<ul class="search-results-list"></ul>
</div>
<div class="no-results">
<h1 class="search-results-title">No results matching "<span class='search-query'></span>"</h1>
</div>
</div>
</div>
</div>
</div>
</div>
<a href="jwt_security.html" class="navigation navigation-prev " aria-label="Previous page: Setup JWT security">
<i class="fa fa-angle-left"></i>
</a>
<a href="mfa.html" class="navigation navigation-next " aria-label="Next page: Multi Factor Authentication">
<i class="fa fa-angle-right"></i>
</a>
</div>
<script>
var gitbook = gitbook || [];
gitbook.push(function() {
gitbook.page.hasChanged({"page":{"title":"Kapua Permissions","level":"1.6","depth":1,"next":{"title":"Multi Factor Authentication","level":"1.7","depth":1,"path":"mfa.md","ref":"mfa.md","articles":[]},"previous":{"title":"Setup JWT security","level":"1.5","depth":1,"path":"jwt_security.md","ref":"jwt_security.md","articles":[]},"dir":"ltr"},"config":{"plugins":[],"styles":{"website":"styles/website.css","pdf":"styles/pdf.css","epub":"styles/epub.css","mobi":"styles/mobi.css","ebook":"styles/ebook.css","print":"styles/print.css"},"pluginsConfig":{"highlight":{},"search":{},"lunr":{"maxIndexSize":1000000,"ignoreSpecialCharacters":false},"sharing":{"facebook":true,"twitter":true,"google":false,"weibo":false,"instapaper":false,"vk":false,"all":["facebook","google","twitter","weibo","instapaper"]},"fontsettings":{"theme":"white","family":"sans","size":2},"theme-default":{"styles":{"website":"styles/website.css","pdf":"styles/pdf.css","epub":"styles/epub.css","mobi":"styles/mobi.css","ebook":"styles/ebook.css","print":"styles/print.css"},"showLevel":false}},"github":"eclipse/kapua","theme":"default","githubHost":"https://github.com/","pdf":{"pageNumbers":true,"fontSize":12,"fontFamily":"Arial","paperSize":"a4","chapterMark":"pagebreak","pageBreaksBefore":"/","margin":{"right":62,"left":62,"top":56,"bottom":56}},"structure":{"langs":"LANGS.md","readme":"README.md","glossary":"GLOSSARY.md","summary":"SUMMARY.md"},"variables":{},"title":"Eclipse Kapua™ User Guide","links":{"home":"http://eclipse.org/kapua"},"gitbook":"3.x.x","description":"Eclipse Kapua™ User Guide"},"file":{"path":"Permissions.md","mtime":"2020-11-26T08:22:34.020Z","type":"markdown"},"gitbook":{"version":"3.2.2","time":"2020-11-26T08:23:37.956Z"},"basePath":".","book":{"language":""}});
});
</script>
</div>
<script src="gitbook/gitbook.js"></script>
<script src="gitbook/theme.js"></script>
<script src="gitbook/gitbook-plugin-search/search-engine.js"></script>
<script src="gitbook/gitbook-plugin-search/search.js"></script>
<script src="gitbook/gitbook-plugin-lunr/lunr.min.js"></script>
<script src="gitbook/gitbook-plugin-lunr/search-lunr.js"></script>
<script src="gitbook/gitbook-plugin-sharing/buttons.js"></script>
<script src="gitbook/gitbook-plugin-fontsettings/fontsettings.js"></script>
</body>
</html>