Ardexa's Access Control system allows fine-grained control over permissions in the Ardexa Cloud. These rules apply in addition to Ardexa's standard set of permissions.

Managing Access Control rules requires the Manage Access user permission.

Terminology

The Access Control system makes use of the following concepts:

Principal

Any entity that can be granted permissions by the Access Control system. At present this includes Ardexa Cloud users, but will be extended to include API tokens.

Resource

A system entity that a Principal can take actions against.

Action

An operation that can be applied by a Principal to a particular Resource. Examples: read, run and manage.

Effect

The desired outcome of a request by a user to perform a given action on a specified Resource. Each request evaluated by the Access Control system will either be Allowed or Denied.

Setting up Access Control Rules

Once Access Control has been enabled in a workgroup, you can view access control rules by navigating via the menu to Admin -> Access, then selecting the Access Control tab.

This page will display a table of Access Control rules that are currently active in the workgroup.

These rules can be modified, and new ones can be added to change how users access Device Commands and other Resources managed by the Access Control system.

Rules affecting a particular Principal and/or Resource are evaluated from least-specific to most-specific, with the Effect from the most-specific rule determining the final outcome.

If a request does not have any relevant rules defined, it will be denied by default.

Example:

Consider the following set of rules:

These will be interpreted as:

• All Users in the workgroup are able to run all Device Commands,

• Except for "A. User", who is unable to run any,

• Except for "emergency_shutdown" on the Test Device

Example: Device Commands

By default, predefined Device Commands are very permissive in the Ardexa Cloud. Users with the Control Devices permission can add and modify Device Commands on devices they have access to. These commands can then be executed by any user in the workgroup. While this is suitable for low-risk operations such as controlling a camera connected to a device, users controlling sensitive equipment will want to limit access to approved users only.

To do this, you can set a generic rule to Deny all users requesting to run a Device Command:

Specific users can then be granted access to run, view or manage individual commands:

Selecting the "Create many?" checkbox allows rules to be created for multiple Principals and/or Resources at once.

Users that create a Device Command will be given access to read, run and manage it automatically.