i4connected Knowledgebase 5.6

Effective permissions

Abstract

Check out more details about the Effective permissions and what is the algorithm for determining the actual permissions of a user.

The effective permissions are the actual user permissions calculated for each node. The algorithm for calculating the effective permissions is outlined below:

algorithm_effecitve_permissions.jpg

Effective permissions architecture

These permissions are processed and stored whenever changes occur in either the role assignments, role permission settings, the hierarchical structure or user list, hence:

  • If an area is added or deleted, all sub-areas and devices will be re-evaluated for effective permissions.

  • If a role is added or removed from an area, all sub-areas and devices will be re-evaluated for effective permissions.

The (re)calculation of the effective permissions is performed inside the application server and runs as a dedicated security module. After recalculating a user’s effective permissions, the effective permissions database table will be replaced with the new values for that user.

The effective permissions are calculated separately for each entity and only the relevant permissions are evaluated (Allow or Deny), as follows:

  • Sites and areas share their effective permissions as location-related permissions, as follows:

    Site_efective_perm.jpg

    Site's effective permissions list

    • View sites and areas - Allows viewing the sites and areas along with the corresponding calculations (from measure aggregations). This can be managed for each item. Having this permission set globally will allow the user to view all sites and areas.

    • Manage sites and areas - Allows creating, editing and deleting sites and areas.

    • View devices - Allows viewing the device and the corresponding calculations (from measure aggregations). This can be managed for each item. Having this permission set globally, user is allowed to view all devices.

    • Manage devices - Allows creating, editing and deleting devices.

    • Read signals - Allows reading the signal value,

    • Write signals - Allows writing to the signal.

  • Organizational units have their own effective permissions (without signal read/write), as follows:

    OU_effective_perm.jpg

    Organizational Unit's effective permissions list

    • View organizational units - Allows viewing the organizational unit and the corresponding calculations (from measure aggregations). This can be managed for each item. Having this permission set globally will allow the user to view all organizational units.

    • Manage organizational units - Allows creating, editing and deleting organizational units.

    • View devices - Allows viewing the device and the corresponding calculations (from measure aggregations). This can be managed for each item. Having this permission set globally, user is allowed to view all devices.

    • Manage devices - Allows creating, editing and deleting devices.

    • Read signals - Allows reading the signal value,

    • Write signals - Allows writing to the signal.

  • Devices also have the following dedicated effective permissions:

    Devce_effective_perm.jpg

    Device's effective permissions list

    • View devices - Allows viewing the device and the corresponding calculations (from measure aggregations). This can be managed for each item. Having this permission set globally will allow the user to view all organizational units.

    • Manage devices - Allows creating, editing and deleting devices.

    • Read signals - Allows reading the signal value,

    • Write signals - Allows writing to the signal.

  • Adapters have the following dedicated effective permissions:

    Adapters_effective_permissions.jpg
    • View adapters - Allows viewing and selecting adapters when configuring devices.

    • Manage adapters - Allows creating, editing and deleting adapters.

  • Signals have the following dedicated effective permissions:

    Signal_effective_perm.jpg

    Signal's effective permissions list

    • Read signals - Allows reading the signal value,

    • Write signals - Allows writing to the signal.

  • Applications mappings feature the following effective permissions:

    App_mappings_effectve_permissions.jpg
    • View applications - Allows viewing applications and assigning them to entities.

    • Manage mappings - Allows creating, editing and deleting applications.