Policies, Roles, and Permissions¶
A policy is a collection of permissions to the resources in EnOS (such as services, functions, and data). You can assign the access policies to a user, a user group, or a service account to manage their access to the resources in EnOS. A policy takes effect only when assigned to a user, user group, or service account. You can assign different policies to a user, user group or service account based on the granularity of authorization supported by EnOS.
- EnOS services and tools: support menu-level authorization.
- Assets and data: support access to all assets within an OU.
The access policies in IAM are classified into two types: built-in policies and custom policies.
Built-in Policies¶
Built-in policies, which cannot be edited or deleted, refer to a collection of the access policies that are pre-defined for typical user roles in EnOS. For example, any user that is assigned with the “Model Administrator” role owns the write and read permissions to create, delete, edit, import, export, view, and instantiate the models under the OU.
The following built-in policies are available in EnOS.
| Role | Permissions |
|---|---|
| Administrator | Owns the permissions to access and manage all the resources in the OU. |
| Application Registration Administrator | Owns the full functional permissions to the app registration page and API. |
| DPS Administrator | Owns the full permissions for all configurations of devices in the cloud in the OU, including device group management, registration group management, device assignment and reassignment, and the corresponding APIs for device onboarding experts. |
| DPS Manufacturer | Owns the partial permissions for manufacturing, onboarding capability, and verification configurations in the OU, including device group management, registration group management, device allocation, and the corresponding APIs for manufacturers. |
| Asset Administrator | Owns the write and read permissions for device asset data in the OU. |
| Asset Tree Administrator | Owns the write and read permissions to create, delete, edit, and view the asset trees and manage the asset nodes in the asset tree in the OU. |
| Model Administrator | Owns the write and read permissions to create, delete, edit, import, export, and view the models in the OU. |
| Device Management Administrator | Owns the read and write permissions to create, delete, edit, and view the devices in the OU and all the necessary permissions to manage products, firmware, and device certificates. |
| Model Read-Only | Owns the permissions to export and view models in the OU. |
| Device Management Read-Only | Owns the permissions to view the devices, products, firmware, and device certificates in the OU. |
| Security Auditor | Owns the permissions to view all the security settings and audit logs in the OU. |
| Metering Administrator | Owns the permissions to view the metering information for all resources in the OU. |
| Resource Manager | Owns the permissions to allocate and manage computing and storage resources in the OU. |
Custom Policies¶
Custom policies refer to the access polices customized as per the needs of users and service accounts for accessing EnOS services. For example, a user that only needs to query the models may be assigned with the “read-only” permission for “Model”.
EnOS now supports custom access permissions to the following services.
- Asset
- Asset Tree
- Model
- Device Management Service
- Resource Management
- Product
- Certificate
- Firmware
For more information, see Service Permissions.