Users and Permissions
Controlling what users can see and do in the Ardexa Web App
Last updated
Controlling what users can see and do in the Ardexa Web App
Last updated
Access to data stored in the Ardexa's Cloud API can be controlled via User Permissions. This can be managed via the menu: Admin -> Access -> Users tab
Ardexa users and API tokens can be granted one or more permissions to dictate what functionality they can access on the Ardexa Cloud.
Permissions are set when you [INVITE A NEW USER]
Or alternatively you edit an existing user via the [OPTIONS]
column at the end of the user's record.
If new users need to be added the list, then an "invite" needs to be sent so they can access your workgroup. Invites can only be performed by Workgroup Owners or users with the Manage access permission.
To invite new users to a workgroup navigate to the menu item: Admin -> Access -> Invites tab
Click on Invite new user
.
Note: To invite a new user, you only need their email address.
When invite emails are blocked:
There are rare cases where an invite email has been blocked completely. In which case you will need to add support@ardexa.com
as a "Safe Sender" in your email client, or check your spam folder for the invite email.
If the User has an existing Ardexa account, the new permissions will be added to their existing account once they accept the invitation. If the User does not have an existing account, they will be asked to create one when they accept the invitation.
Clicking the invitation link, received via email, users will have to complete the registration form with their name and password and will be redirected to the login page.
After a successful login, all users will be required to enable their Multi-factor Authentication.
Clicking the invitation link, received via email, users will have their account acitvated for the workgroup they are invited to and will be redirected to the login page.
Currently logged in users will be required to re-login.
Users that does not have their Multi-factor Authentication setup, will be required to enable it.
To view your outstanding invites that have yet to be actioned by the invitee, navigate to: Admin -> Access -> Invites tab
You may also resend invites from this page where the original invite has been lost.
When a user logs in, their browser receives an implicit token which is used to access the Ardexa Cloud for 10 hours. When this token expires, they will have to log in again.
Workgroup access and permissions are set in this token when the user logs in. Therefore, changes to a user's permissions will not take effect until the user logs in again. Keep this in mind when changing a user's permissions:
If you are increasing a user's permissions, they will need to log in again to utilise the new set of permissions
If you are reducing a user's set of permissions, or revoking their access to a workgroup entirely, they may retain their current level of access to the system for up to 10 hours
Workgroup owners
previously had the ability to mandate that all users in the workgroup enable MFA on their accounts. This was an opt-in system.
As of May 1, 2024, Multi-factor Authentication is now mandatory for all users in all workgroups in the Ardexa Cloud.
Setting up MFA for an individual is the same process as described in the article here.
Once the user has setup MFA on their account, the MFA column will display a check mark to indicate that MFA is enabled. Otherwise, the user's name will be displayed in red font with a danger warning icon in the MFA column.
At the moment, users are not required to enable MFA when they log onto the Ardexa Cloud for the first time. They will, however, have to enable it on any subsequent login attempts.
As of May 2024, there are a number of user accounts in established workgroups that have not logged in to the Ardexa Cloud since MFA was mandated in the workgroup. These inactive accounts pose a security risk to the workgroup: if an attacker was able to acquire the account's password, they would be able to enrol MFA on a device they owned and gain access to the workgroup.
Two features on the user management page can help workgroup owners with managing these risks:
The last date that each user was active is displayed in the "Last Active" column
Users withouth MFA enabled will be flagged (see above)
If a user has not enabled MFA, and has not accessed the system for some time, we recommend taking one of the following actions:
Encouraging them to enable MFA on their account
Removing sensitive permissions from their account in the workgroup (eg. set them to have "Read" only)
User Type / Permission
Actions & Visibility Provided
Workgroup Owner
A Workgroup Owner
has access to all functions, including the ability to grant & revoke access to the workgroup. In addition, a workgroup owner is allowed to delete data and create Consumers via the[ADMIN]
> [DATA]
menu.
There must be at least 1 workgroup owner.
There is no upper limit on the number of workgroup owners.
Device Group assignment is revoked if set
Device Group
A user can be a member of one-or-none Device Groups.
A Device Group has to be first defined before it can be selected in this list. Define your Device Group following the article Device Groups.
Users with a Device Group restriction are blocked from the following actions, regardless of their other permissions:
Create device
Update device metadata for any metadata item related to Device Group membership
Modifying Workgroup settings
For Energy Solution subscribers: Uploading meter or budget data
Managing access permissions
Read
This is the basic access to the Ardexa cloud. This grants the user read-only access to devices, searches & dashboards. This permission is mandatory. If a user does not need this permission, they should not be given access to the Ardexa cloud.
Manage Searches and Dashboards
This permission allows a user to apply the following actions for saved searches and dashboards created by any user in the workgroup:
create
update
share
delete
NB. A user can only delete dashboards that they have created.
Manage devices
Devices are edge devices that run an Ardexa Agent. These are listed in the [DEVICES]
menu.
This permission allows a user to apply the following actions against a device in the current workgroup:
create
update
including renaming
delete
transfer (to other workgroups).
Control devices
Each device in the [DEVICES]
menu has a number of functions associated with them. Things like Send Files
, Remote Shell
, Live Feed
etc.
This permission allows a user access from:
[DEVICES]
> <select your device from the LHS list>
then to each of the device's following menu tabs:
[REMOTE SHELL]
[SEND FILES]
[GET FILES]
[CONFIGURATION]
[NETWORK]
Be careful with this permission. It is a very powerful and should only be given to users who require this access AND know how to control an edge device.
Discovery
The section [DEVICES]
>[DISCOVERY]
tab allows a user to undertake automated or semi-automated commands via the remote shell. These commands allow the discovery of machines, open ports, etc on the remote edge device.
This permission allows a user to run these commands without the need to grant them access to the remote shell.
Tunnel
The Ardexa Tunnel allows secure VPN-like access to a remote machine on the edge device network. It is like a secured, audited VPN. This permission allows a user to be given access to the Ardexa Tunnel.
View members
By default, workgroup members cannot see other members of the workgroup. This permissions enables users to access the name and emails addresses of all other members. This permission is a read-only subset of Manage access
This is particularly useful for setting up email alerts or viewing audit logs.
Manage access
This permission allows a user to issue invites to the workgroup and remove & grant permissions to other users, manage API tokens & consumers.
They do not need to be a Workgroup Owner nor a member of any Device Group.
Read audit logs
Grant the ability to read the restricted audit_logs
table.