search
homeappabout

Access Control

Ardexa's Access Control system allows fine-grained control over permissions in the Ardexa Cloud. These rules apply in addition to Ardexa's standard set of permissions.

circle-info

This feature is currently in Early Access. The Access Control workgroup addon must be present in your workgroup for it to apply. Please contact your Ardexa Account Manager for more information.

At present, only Device Commands and Dashboards are managed by the Access Control system. More resources will be added to the Access Control system over time.

Managing Access Control rules requires the Manage Access user permission.

hashtag
Terminology

The Access Control system makes use of the following concepts:

hashtag
Principal Type

The type of an entity that can be granted permissions by the Access Control system.

  • User: An Ardexa cloud user

  • Role: Roles can be created and assigned to users, granting them all of the access associated with the Roles.

  • Device Group: Users that are a member of a specific device group

  • Device Group Users: Users that are a member of any device group

  • Workgroup-level Users: Users that are not a member of a device group

  • API token: An Ardexa cloud API token

  • Specific Device Group API Token: API token for a specific device group

  • All Device Group API Token: API tokens that are for any device group

  • Workgroup-level API Token: API tokens that are not in any device group

hashtag
Principal

Any entity that can be granted permissions by the Access Control system.

hashtag
Resource Type

A type of entity managed by access control. At present this includes Device Commands and Dashboards.

hashtag
Resource

A system entity that a Principal can take actions against.

hashtag
Action

An operation that can be applied by a Principal to a particular Resource. Examples: read, run and manage.

hashtag
Effect

The desired outcome of a request by a user to perform a given action on a specified Resource. Each request evaluated by the Access Control system will either be Allowed or Denied.

hashtag
Manage Roles

A common pattern in access control systems is to define Roles, which can be assigned permissions. These Roles can then be assigned to users, granting them all of the permissions associated with the Role.

You can manage access control roles by navigating via the menu to Admin -> Access, then selecting the Role tab within the Access Control tab.

hashtag
Setting up Access Control Rules

Once Access Control has been enabled in a workgroup, you can view access control rules by navigating via the menu to Admin -> Access, then selecting the Access Control tab.

This page will display a table of Access Control rules that are currently active in the workgroup.

These rules can be modified, and new ones can be added to change how users access Device Commands and other Resources managed by the Access Control system.

Rules affecting a particular Principal and/or Resource are evaluated from least-specific to most-specific (All Workgroup/All Device Group -> Specific Device Group -> Roles -> Specific User), with the Effect from the most-specific rule determining the final outcome.

If a request does not have any relevant rules defined, it will be denied by default.

Example:

Consider the following set of rules:

These will be interpreted as:

  • All Users in the workgroup are able to view all Device Commands,

  • All Users in the workgroup who are not a member of a device group can run all Device Commands,

  • Except for users with role "Viewers", who is unable to run command "ls",

  • And user "ryantest" is able to "edit" and "delete" command "echo"

Use the "Search" tab to get a summary of access control rules and the resource access they resolve to. Toggle between "Per resource" and "Per principal" views to see the summary from different perspectives.

Note: Enabling the access control addon will deny all resource access by default. To restore the previous behavior (i.e., as if access control were not enabled for the workgroup), you must add basic permissions to the workgroup. For example, grant All Users permission to View, Edit, Delete and Create All dashboards, and similarly grant All Users to Read, Run and Manage All device commands.

hashtag
View Access Control

Users with the manage access permission can view access control rules for a resource in a dialog.

For dashboards, click the Access button in the dropdown menu:

For device commands, click the Access button below each command.

Clicking the arrow icon at the right end of each princial row shows the access control rules applied to this principal for this resource.

hashtag
Example: Device Commands

By default, predefined Device Commands are very permissive in the Ardexa Cloud. Users with the Control Devices permission can add and modify Device Commands on devices they have access to. These commands can then be executed by any user in the workgroup. While this is suitable for low-risk operations such as controlling a camera connected to a device, users controlling sensitive equipment will want to limit access to approved users only.

To do this, you can set a generic rule to Deny all users requesting to run a Device Command:

Creating a rule to prevent all users from being able to run Device Commands, unless otherwise enabled

Specific users can then be granted access to run, view or manage individual commands:

Creating a rule to enable A. User to run all Device Commands

Selecting the "Create many?" checkbox allows rules to be created for multiple Principals and/or Resources at once.

Users that create a Device Command will be given access to read, run and manage it automatically.

PreviousLookup TableNextEnergy Solutions

Last updated

Was this helpful?