Skip to content

Managing Roles

Entgra IoTS is shipped with a set of default roles. However, if required, tenant administrators are able to create new customized roles. Tenant administrators can use roles to manage the users and their devices, while end users allocated with device operation permissions can manage their own devices via the Entgra IoTS Console. Administrators can create roles, assign them to a user or a group of users, and edit or delete existing roles.

Adding a Role and Assigning Permissions

Follow the instructions below to add a role:

  1. Sign in to the Entgra IoT Server console. If you want to try out Entgra IoT Server as an administrator, use admin as the username and the password.

  2. Click Create + in the top right corner.

  3. Select Role.

Add new role

  1. Provide the required details and click Add.

    Add new role

  2. Define the permissions that need to be associated with the role you created by selecting the permissions from the permission tree.

  3. Click Assign.

Removing a Role

  1. Go to the Roles tab in the navigation bar.

  2. Go to the Actions section of the role you want to remove.

  3. Click Remove Role.

    Add new role

Searching for Roles

  1. Click on the Search Roles bar on top of the roles table.

  2. Add the searching tags and then click Search.

Updating Roles

  1. Go to the Actions section of the role you want to edit.

  2. Click Edit Role.

  3. Edit the required fields and click Update.

Updating Role Permissions

  1. Go to the Actions section of the role of which you want to update the permissions.

  2. Click Edit Permissions button.

  3. Add the required permissions and click Assign.

Assigning Role Permissions

Configuring Role Permissions

This section provides details on how to configure permissions by defining permissions to an API and the permissions associated with the APIs.

Defining Permissions for APIs

If you wish to create additional permission, follow the steps given below:

  1. Navigate to the JAX-RS web application that of your device types API folder. For more information, see the permission XML file of the virtual fire-alarm.

  2. Define the new permission using the @permission annotation. The scope defines to whom the API is limited to and the permission that is associated with a given API. Example: @Permission(scope = "virtual_firealarm_user", permissions = {"/permission/admin/device-mgt/user/operations"})

  3. Restart Entgra IoT Server and you will see the new permission created in the permission tree.

Now only users who have this specific permission assigned to them will be able to control the buzzer of the fire-alarm.

Permission APIs

Let’s take a look at the default permissions associated with the APIs.

Permissions related to the Entgra IoTS Administrator (admin)

Permissions Description
device-mgt/admin/dashboard Permission to access the WSO2 IoT Server analytics dashboard.
device-mgt/admin/devices Permission to access the APIs related to devices.
device-mgt/admin/devices/list Permission to access the get all devices API.
device-mgt/admin/devices/view Permission to access and retrieve device information from the APIs.
device-mgt/admin/groups Permission to access the APIs related to groups.
device-mgt/admin/device-mgt/admin/groups/list Permission to access the get all groups API.
device-mgt/admin/groups/roles Permission to access the API that gets all the roles added to a group.
device-mgt/admin/groups/roles/permission Permission to access the API that gets all the permissions associates with the roles that can access groups.
device-mgt/admin/groups/roles/add Permission to access the API that enable a role to be added to a group.
device-mgt/admin/groups/roles/delete Permission to access the API that enable a role to be deleted from a group.
device-mgt/admin/information/get Permission to access the get all information API.
device-mgt/admin/notifications Permission to access the APIs related to notifications.

Default Roles and Permissions

By default, Entgra IoTS includes a set of roles. These default roles and permissions have been explained in the following subsections.

Default User Roles

The following roles are available by default in Entgra IoTS:

i. admin

ii. internal-devicemgt-user

iii. internal-appmgt-user

i. admin - If you are defining the permissions for an IoTS administrator who needs to perform operations and configure policies, make sure to select admin. The admin permission allows the user to perform operations and configure policies for devices.

If you wish to create a user with administrative permission other than the default administrator in Entgra IoTS, follow the steps given below:

a. Add a new a role. b. Configure role permissions by specifically selecting the admin permission.

ii. internal-devicemgt-user - This is a system reserved role with the minimum set of permissions to carry out operations. When a user creates an account before accessing the device management console the user is assigned the internal-device-mgt role by default.

iii. internal-appmgt-user - This role has the minimum set of permissions to carry out application management on the device.

Permissions Associated with User Roles

Removing a Role

Follow the instructions below to update a role:

  1. Sign in to the IoTS device management console and click the menu icon.
  2. Click User Management.
  3. Click Role.
  4. Click Remove on the role you wish to remove.
  5. Click Remove to confirm that you want to remove the role.

Searching, Filtering and Sorting Roles

Searching for Users

Follow the instructions given below to search for roles:

  1. Sign in to the IoTS device management console and click the menu icon.
  2. Click User Management.
  3. Click Role.
  4. Search for roles using the search bar.

Filtering Users

Follow the instructions below to filter roles:

  1. Sign in to the IoTS device management console and click the menu icon.
  2. Click User Management.
  3. Click Role.
  4. Filter the roles by the role name.

Updating a Role

Follow the instructions below to update a role:

  1. Sign in to the IoTS device management consoleSign in to the IoTS device management console) and click the menu icon.
  2. Click User Management.
  3. Click Role.
  4. Click Edit on the role you wish to update.
  5. Update the required filed and click Update Role.

Domain: Provide the user store type from the list of items. Role Name: Provide the role name.

Updating Role Permissions

Follow the instructions below to configure the role permissions:

  1. Sign in to the IoTS device management console and click the menu icon.
  2. Click User Management.
  3. Click Role.
  4. Click Edit Permissions on the role you wish to configure.
  5. Select or remove the permissions as required. The levels of authority for granting permissions are illustrated in the table below. As the permissions are categorized, when the main permission category is selected, all its sub-permissions will get selected automatically.
  6. Select the appropriate permission levels and click Update Role Permissions.

Authority Levels for Granting Permission