Policies, Roles, and Permissions


A policy is a collection of permissions to the resources in EnOS (such as services, functions, and data). You can assign the access policies to a user, a user group, or an application to manage their access to the resources in EnOS. A policy takes effect only when assigned to a user, user group, or application. You can assign different policies to a user or a user group based on the granularity of authorization supported by EnOS.

  • EnOS services and tools: support menu-level authorization.

  • Assets and data: support access to all assets within an OU.


The access policies in IAM are classified into two types: built-in policies and custom policies.

Built-in Policies

Built-in policies, which cannot be edited or deleted, refer to a collection of the access policies that are pre-defined for typical user roles in the EnOS. For example, any user that is assigned with the “Model Administrator” role owns the write and read permissions to create, delete, edit, import, export, view, and instantiate the models under the OU.


The following built-in policies are available in EnOS.

Role

Permissions

Administrator

Owns the permissions to access and manage all the resources in the OU.

EAP Project Staff

Owns the read, write, and delete permissions for private model hub, including model deploy and monitor, and read and write permissions for public model hub and model version in MI Hub.

EAP Customer

Owns the read permission for both private and public model hubs in MI Hub, including model version, deploy, and monitor.

EAP Admin

Owns the read, write, and delete permissions for private and public model hubs in MI Hub, including model version, deploy, and monitor.

EAP Developer

Owns the read, write, and delete permissions for private model hub, including model version, deploy, and monitor, and read and write permissions for public model hub in MI Hub.

Resource Manager

Owns the permissions to allocate and manage computing and storage resources in the OU.

Asset Tree Administrator

Owns the write and read permissions to create, delete, edit, and view the asset trees in the OU. Users include system admins, asset admins, and asset implementation personnel.

Model Administrator

Owns the write and read permissions to create, delete, edit, import, export, view, and instantiate the models in the OU. Users include system admins, industry experts responsible for model management, O&M personnel responsible for model deployment, etc.

Device Management Administrator

Owns the read and write permissions to create, delete, edit, and view device access configurations under the OU. Users include system administrators, asset administrators, asset implementation personnel, etc.

Security Auditor

Owns the permissions to view all the security settings and audit logs in the OU.

Custom Policies

Custom policies refer to the access polices customized as per the needs of users and service accounts for accessing EnOS services. For example, a user that only needs to query the models may be assigned with the “read-only” permission for “Model Management Services”.


EnOS now supports the custom access permissions to the following services.

Service Name

Resources

Permission

Asset

Access configurations

  • Control: Issue commands to assets.

  • Read: Read-only access to asset details.

  • Write: Update asset details and attributes.

Asset Tree Management

Asset trees in the EnOS Management Console

  • Full Access: All permissions required to manage asset trees.

  • Read: Read-only access to asset tree details.

Model Management

Models

  • Full Access: All permissions required to manage models.

  • Read: Read-only access to model details.

Device Management

Access configurations

  • Full Access: All permissions required to manage devices.

  • Read: Read-only access to device details.

Resource Management

Resource management in the EnOS Management Console

Full Access: Allocate and manage all permissions for computing resources and storage resources in the OU.

AI Asset Management

MI Hub model management in the EnOS Management Console

  • Read: Read-only access to model details.

  • Write: Update model details.

  • Delete: Delete models.