Policies, Roles and Permissions¶
A policy is a collection of permissions to the resources in EnOS (such as services, functions, and data). You can assign the access policies to a user, a user group, or an application to manage their access to the resources in EnOS. A policy takes effect only when assigned to a user, user group, or application. You can assign different policies to a user or a user group based on the granularity of authorization supported by EnOS.
- EnOS services and tools: support menu-level authorization.
- Assets and data: support access to all assets within an OU.
The access policies in IAM are classified into two types: built-in policies and custom policies.
Built-in Policies¶
Built-in policies, which cannot be edited or deleted, refer to a collection of the access policies that are pre-defined for typical user roles in the EnOS. For example, any user that is assigned with the “Model Administrator” role owns the write and read permissions to create, delete, edit, import, export, view, and instantiate the models under the OU.
The following built-in policies are available in EnOS.
| Role | Permissions |
|---|---|
| Administrator | Owns the permissions to access and manage all the resources in the OU. |
| Security Auditor | Owns the permissions to view all the security settings and audit logs in the OU. |
| Model Administrator | Owns the write and read permissions to create, delete, edit, import, export, view, and instantiate the models in the OU. Users include system admins, industry experts responsible for model management, O&M personnel responsible for model deployment, etc. |
| Model User | Owns the read-only permission to view, export, and instantiate the models in the OU. Users include average users and implementation personnel. |
| Asset Tree Administrator | Owns the write and read permissions to create, delete, edit, and view the asset trees in the OU. Users include system admins, asset admins, and asset implementation personnel. |
| Asset Tree User | Owns the read-only permission to view the asset trees in the OU. Users include average users and application developers. |
| Connectivity Provisioning Administrator | Owns the write and read permissions to create, delete, edit, and view the connectivity configurations in the OU. Users include system admins, asset admins and asset implementation personnel. |
| Connectivity Provisioning User | Owns the read-only permission to view the connectivity configurations in the OU. Users include average users and application developers. |
Custom Policies¶
Custom policies refer to the access polices customized as per the needs of users and service accounts for accessing EnOS services. For example, a user that only needs to query the models may be assigned with the “read-only” permission for “Model Management Services”.
EnOS now supports the custom access permissions to the following services.
| Service | Resources | Permission |
|---|---|---|
| Connectivity Provisioning Management | Connectivity configurations |
|
| Asset Tree Management (Console) | Asset trees in the EnOS Management Console |
|
| Model Management | Models |
|
| Asset Tree Data Services (Device Data) | Data of the devices under an asset tree |
|
Note
- Full Access: write and read permissions to create, delete, edit, and view the objects.
- Read Only: read-only permissions to only view the objects.
- Permissions to asset tree data include the following:
- Read: read-only access to assets.
- Control: permission to send commands to assets.
- Write: permission to edit device attributes.