Users and Permissions

Controlling what users can see and do in the Ardexa Web App

Workgroup Users and Permissions
Access to data stored in the Ardexa's Cloud API can be controlled via User Permissions.  This can be managed via the menu: Admin -> Access -> Users tab
Ardexa users and API tokens can be granted one or more permissions to dictate what functionality they can access on the Ardexa Cloud.  
Setting Permissions
Permissions are set when you [INVITE A NEW USER] or alternatively you edit an existing user via the [OPTIONS] button at the end of the user's record.
Available Permissions
Permission Types Explained:
User Type / Permission
Actions & Visibility Provided
Workgroup Owner
A Workgroup Owner has access to all functions, including the ability to grant & revoke access to the workgroup. In addition, a workgroup owner is allowed to delete data and create Consumers via the[ADMIN] > [DATA] menu. 
There must be at least 1 workgroup owner. 
There is no upper limit on the number of workgroup owners. 
Device Group
A user can be a member of one-or-none Device Groups.
A Device Group has to be first defined before it can be selected in this list.   Define your Device Group following the article Device Groups.
​
Users with a Device Group restriction are  blocked from the following actions, regardless of their other permissions:
Create device
Update device metadata for any metadata item related to Device Group membership
Modifying Workgroup settings
For Energy Solution subscribers: Uploading meter or budget data
Read
This is the basic access to the Ardexa cloud.  This grants the user read-only access to devices, searches & dashboards. 

This permission is mandatory. If a user does not need this permission, they should not be given access to the Ardexa cloud.
Manage Searches and Dashboards
This permission allows a user to apply the following actions for saved searches and dashboards created by any user in the workgroup: 
create 
update
share
delete 
NB. A user can only delete dashboards that they have created.
Manage devices
Devices are edge devices that run an Ardexa Agent. These are listed in the [DEVICES] menu. 

This permission allows a user to apply the following actions against a device in the current workgroup: 
create
update
including renaming
delete
transfer (to other workgroups).
Control devices
Each device in the [DEVICES] menu has a number of functions associated with them. Things like Send Files, Remote Shell, Live Feed etc. 

This permission allows a user access from:
[DEVICES] > <select your device from the LHS list> 
​
then to each of the device's following menu tabs:
[REMOTE SHELL]
[SEND FILES]
[GET FILES]
[CONFIGURATION]
[NETWORK]
Be careful with this permission. It is a very powerful and should only be given to users who require this access AND know how to control an edge device.
Discovery
The section [DEVICES] >[DISCOVERY]tab allows a user to undertake automated or semi-automated commands via the remote shell. These commands allow the discovery of machines, open ports, etc on the remote edge device. 
​
This permission allows a user to run these commands without the need to grant them access to the remote shell.
Tunnel
The Ardexa Tunnel allows secure VPN-like access to a remote machine on the edge device network. It is like a secured, audited VPN. 

This permission allows a user to be given access to the Ardexa Tunnel.
View members
By default, workgroup members cannot see other members of the workgroup. This permissions enables users to access the name and emails addresses of all other members. This permission is a read-only subset of Manage access
​
This is particularly useful for setting up email alerts or viewing audit logs.
Manage access
This permission allows a user to issue invites to the workgroup and remove & grant permissions to other users, manage API tokens & consumers. 
​
They do not need to be a Workgroup Owner.
Read audit logs
Grant the ability to read the restricted audit_logs table.
Adding new Members to Workgroups
Invites
If new users need to be added the list, then an "invite" needs to be sent so they can access your workgroup. Invites can only be performed by Workgroup Owners or users with the Manage access permission. 
To invite new users to a workgroup navigate to the menu item: Admin -> Access -> Invites tab
Click on Invite new user. 
Note: To invite a new user, you only need their email address.
When invite emails are blocked:
There are rare cases where an invite email has been blocked completely. In which case you will need to add [email protected] as a "Safe Sender" in your email client, or check your spam folder for the invite email.
If the User has an existing Ardexa account, the new permissions will be added to their existing account once they accept the invitation. If the User does not have an existing account, they will be asked to create one when they accept the invitation. 
Outstanding / Inactioned Invites
To view your outstanding invites that have yet to be actioned by the invitee, navigate to: Admin -> Access -> Invites tab
You may also resend invites from this page where the original invite has been lost.
User sessions
When a user logs in, their browser receives an implicit token which is used to access the Ardexa Cloud for 10 hours.  When this token expires, they will have to log in again.
Workgroup access and permissions are set in this token when the user logs in.  Therefore, changes to a user's permissions will not take effect until the user logs in again.  Keep this in mind when changing a user's permissions:
1.If you are increasing a user's permissions, they will need to log in again to utilise the new set of permissions
2.If you are reducing a user's set of permissions, or revoking their access to a workgroup entirely, they may retain their current level of access to the system for up to 10 hours
Mandatory Workgroup Multi-Factor Authentication (MFA)
Workgroup owners have the ability to mandate all users in the workgroup enable MFA on their accounts.
ADMIN > USERS
The USERS view will now report the status of MFA for the workgroup. Where MFA is not enabled workgroup-wide the following banner will appear:
To set mandatory MFA for all workgroup users simply click on the [ENABLE MANDATORY MFA] button. Confirming the dialog will:
Force all workgroup users to set up MFA on their next login.
Send an email advising of the new requirement to each user.
WARNING: 
Setting MFA on a workgroup is not easily reversible.
When MFA is enabled for a user it will apply to all their workgroups. 
Why? Because MFA applies at user's login, not when they move within workgroups once they are logged into the application. 
​
Once MFA is enabled the banner will report the status as follows:
NB: Once workgroup mandatory MFA is enabled:
A user cannot disable MFA for their account. 
They can continue to reset their MFA by going through the standard [DISABLE] steps within their profile page, which is a  necessary requirement. However, at their next login they will be presented with the same step-through wizard to set up MFA.
​
Set Up MFA (2FA)
Setting up MFA for an individual is the same process as described in the article here.
The pre-requisites are:
A smart phone at hand
Either the Google Authenticator or Microsoft Authenticator installed on the smart phone.
​

Ardexa Cloud - Previous

Data Access

Device Groups

Last modified 4mo ago

User Type / Permission	Actions & Visibility Provided
Workgroup Owner	A `Workgroup Owner` has access to all functions, including the ability to grant & revoke access to the workgroup. In addition, a workgroup owner is allowed to delete data and create Consumers via the`[ADMIN]` > `[DATA]` menu. There must be at least 1 workgroup owner. There is no upper limit on the number of workgroup owners.
Device Group	A user can be a member of one-or-none Device Groups. A Device Group has to be first defined before it can be selected in this list. Define your Device Group following the article *Device Groups. Users with a Device Group restriction are blocked from the following actions*, regardless of their other permissions: Create device Update device metadata for any metadata item related to Device Group membership Modifying Workgroup settings For Energy Solution subscribers: Uploading meter or budget data
Read	This is the basic access to the Ardexa cloud. This grants the user read-only access to devices, searches & dashboards. This permission is mandatory. If a user does not need this permission, they should not be given access to the Ardexa cloud.
Manage Searches and Dashboards	This permission allows a user to apply the following actions for saved searches and dashboards created by any user in the workgroup: create update share delete NB. A user can only delete dashboards that they have created.
Manage devices	Devices are edge devices that run an Ardexa Agent. These are listed in the `[DEVICES]` menu. This permission allows a user to apply the following actions against a device in the current workgroup: create update including renaming delete transfer (to other workgroups).
Control devices	Each device in the `[DEVICES]` menu has a number of functions associated with them. Things like `Send Files`, `Remote Shell`, `Live Feed` etc. This permission allows a user access from: `[DEVICES]` > `<select your device from the LHS list>` then to each of the device's following menu tabs: `[REMOTE SHELL]` `[SEND FILES]` `[GET FILES]` `[CONFIGURATION]` `[NETWORK]` Be careful with this permission. It is a very powerful and should only be given to users who require this access AND know how to control an edge device.
Discovery	The section `[DEVICES]` >`[DISCOVERY]`tab allows a user to undertake automated or semi-automated commands via the remote shell. These commands allow the discovery of machines, open ports, etc on the remote edge device. This permission allows a user to run these commands without the need to grant them access to the remote shell.
Tunnel	The Ardexa Tunnel allows secure VPN-like access to a remote machine on the edge device network. It is like a secured, audited VPN. This permission allows a user to be given access to the Ardexa Tunnel.
View members	By default, workgroup members cannot see other members of the workgroup. This permissions enables users to access the name and emails addresses of all other members. This permission is a read-only subset of `Manage access` This is particularly useful for setting up email alerts or viewing audit logs.
Manage access	This permission allows a user to issue invites to the workgroup and remove & grant permissions to other users, manage API tokens & consumers. They do not need to be a Workgroup Owner.
Read audit logs	Grant the ability to read the restricted `audit_logs` table.