Access Control
Ardexa's Access Control system allows fine-grained control over permissions in the Ardexa Cloud. These rules apply in addition to Ardexa's standard set of permissions.
This feature is currently in Early Access. The Access Control workgroup addon must be present in your workgroup for it to apply. Please contact your Ardexa Account Manager for more information.
At present, only Device Commands are managed by the Access Control system. More resources will be added to the Access Control system over time.
Managing Access Control rules requires the Manage Access user permission.
Terminology
The Access Control system makes use of the following concepts:
Principal
Any entity that can be granted permissions by the Access Control system. At present this includes Ardexa Cloud users, but will be extended to include API tokens.
Resource
A system entity that a Principal can take actions against.
Action
An operation that can be applied by a Principal to a particular Resource. Examples: read, run and manage.
Effect
The desired outcome of a request by a user to perform a given action on a specified Resource. Each request evaluated by the Access Control system will either be Allowed or Denied.
Setting up Access Control Rules
Once Access Control has been enabled in a workgroup, you can view access control rules by navigating via the menu to Admin -> Access, then selecting the Access Control tab.
This page will display a table of Access Control rules that are currently active in the workgroup.
These rules can be modified, and new ones can be added to change how users access Device Commands and other Resources managed by the Access Control system.
Rules affecting a particular Principal and/or Resource are evaluated from least-specific to most-specific, with the Effect from the most-specific rule determining the final outcome.
If a request does not have any relevant rules defined, it will be denied by default.
Example:
Consider the following set of rules:
These will be interpreted as:
All Users in the workgroup are able to run all Device Commands,
Except for "A. User", who is unable to run any,
Except for "emergency_shutdown" on the Test Device
Example: Device Commands
By default, predefined Device Commands are very permissive in the Ardexa Cloud. Users with the Control Devices permission can add and modify Device Commands on devices they have access to. These commands can then be executed by any user in the workgroup. While this is suitable for low-risk operations such as controlling a camera connected to a device, users controlling sensitive equipment will want to limit access to approved users only.
To do this, you can set a generic rule to Deny all users requesting to run a Device Command:
Specific users can then be granted access to run, view or manage individual commands:
Selecting the "Create many?" checkbox allows rules to be created for multiple Principals and/or Resources at once.
Users that create a Device Command will be given access to read, run and manage it automatically.
Last updated