Skip to content

Configure Access Management

Introduction

This chapter explains what has to be considered when managing users in the Industrial Asset Hub (IAH) app. It will answer the questions:

  • What are the prerequisites to manage users?
  • How are users and their roles maintained?
  • What are Access groups used for?

The following content provides additional information about the aspects of user management and is not mandatory for using the IAH Access management. If you only need to know how to use IAH Access management, you can skip this chapter.

Authentication and authorization

The user management consists of two different parts in the context of IAH. The first part is authentication and the second part is authorization.

Authentication is about "Who is the person trying to get access to the application?" and "Should this person's request be granted?". This question is handled by the XF service and your task is to define the service's answer by adding the respective people via the Xcelerator Admin Console.

Authorization is about "What is a person allowed to do in the application?". This question is handled by the IAH authorization service. Here, your task is to define the permissions of your users by assigning the required roles.

If a user tries to access the application, first the XF service checks if the user is allowed to access the application at all. Only if access is granted, the user is forwarded to the IAH app, where the IAH authorization service checks if the user is allowed to perform the requested action.

Roles and permissions

Generally, there are three different roles in IAH:

Role \ Scope Basic Remote connect Access management Set Asset Responsible
Operator + o o o
Supervisor + + o o
Administrator + + / +

'+' = has permission
'o' = has no permission
'/' = has permission within the scope of the Access Group related role

Permission scopes

Basic:

  • administrate assets and custom properties
  • start scans
  • create and delete Asset Gateways
  • create Access groups
  • edit Access groups (only if the user is assigned to the group)

Remote connect:

  • create and close remote connections to the web server of an asset
  • joining a remote session

Access management:

  • manage users and roles
  • assign and remove users from Access groups
  • allows to change the asset responsible for an asset directly

Global roles

Currently, roles are assigned to an Access group. This means that a role is only valid within the Access group it is assigned to. If a role is independent of an Access group (e.g. a global role), currently it is only possible to add the role to the user in the default Access group. This is a working agreement till we have a solution to have roles for global assignment (independent of Access groups).

Server users

To use the APIs in a machine to machine interaction, you need a server user. It allows all necessary actions to be performed without human interaction. When a new tenant is set up, a server user is already pre-configured with administrator rights in IAH. This server user will be created for you and is automatically used by any onboarded Asset Gateway. but can also be used by other IAH API consumers. Therefore, it’s crucial to keep the server user’s credentials strictly confidential.

Getting started with IAH Access management

This chapter is a step-by-step guide to get started with IAH Access management.

To manage users in the Industrial Asset Hub (IAH) app, your users need to be created in the Xcelerator Admin Console first. The Xcelerator Admin Console is the central place to manage users for all applications in the Xcelerator platform. Once they have been added in the Xcelerator Admin Console for use with IAH, they will be visible in the IAH Access management page and administrators can then maintain the users' roles the IAH app. The roles which can be selected in the Xcelerator Admin Console, can be neglected. IAH has its own roles and permissions layer in place.

Add users to the Xcelerator Admin Console

  1. Go to the Xcelerator Admin Console and log in with your credentials.
  2. Navigate to 'Products' in the left menu bar, if not already selected.
  3. Select the Industrial Asset Hub app under the 'Products' column.
  4. Select the 'Assigned Users' tab.
  5. Use the 'Assign User' function to add all users you need at the beginning.
  6. Fill in the required fields and click on 'Assign'.

Maintain users in IAH

The first user who accesses the IAH app, will automatically get the administrator role. This happens regardless of whether the application was accessed via the user interface or the API. Initially, the administrator is the only user who is able to modify the role of other users. This can only be changed by elevating additional users to become administrators as well.

  1. Log into the IAH app as first user to become the IAH admin.
  2. Open the Access management page via the side menu.
  3. Assign roles to the users as required. This is done by clicking on the role to be changed and selecting the new role.

Note: The last existing administrator cannot be degraded to a non-administrator role.

Delete a user from IAH

If a user needs to be deleted from IAH, this should be done in the Xcelerator Admin Console only. IAH synchronizes with the XF service, detects the difference in the authorized users and removes them from IAH as well.

If a user with IAH administrator rights is removed, no other user will be assigned the administrator role. In the case, there is no IAH administrator anymore, the next new user accessing IAH, will be assigned the administrator role.

Working with Access groups

What are Access groups and what are they used for?

The idea behind Access groups is to model the real-world structure of a factory, where different users work in different areas with different assets.

IAH allows you to define Access groups, which can be used to group assets and dedicated users. A user can be assigned to multiple Access groups. E.g., if you have a factory with two production lines, you can create two Access groups, one for each production line. In each Access group you can assign the users which are responsible for the production line and the assets which are part of the production line. Changing the Access group of assigned assets afterward, is only possible if the current user is also a member of the Access group.

All users are assigned to the default Access group, which is created automatically and cannot be deleted. The default Access group is used for all assets, which are not assigned to a specific Access group. So if the property of an Access group is not set, the default Access group is used. Deleting the property Access group of an asset will move the asset back to the default Access group.

Enable the Access group column in the Asset list

In the List settings of the Asset list, enable the Access group column to view the Access group entries for each asset.

Creating or selecting an Access group

Access groups can be created or selected in IAH in the following ways:

Asset list

  • Add Asset Gateway dialog, define an Access group or enter an existing Access group
  • Add asset dialog, define an Access group or enter an existing Access group
  • Rename the default Access group or existing Access group of an asset or Asset Gateway

Inbox

  • Scan network dialog, define an Access group or enter an existing Access group

Assign users to an Access group

An admin user of the default Access group can see all existing Access groups and assign users to them. A user with the administrator role in a custom Access group can only assign users to that specific group. Once a user is assigned to an Access group, they will have the operator role, regardless of their role in the default Access group. If no users are actively assigned to an Access group, the group will have no members. It is the responsibility of administrators to assign users to the appropriate Access groups.

  1. Click on the default Access group.
  2. Select the users who should be assigned to the Access Group using the checkbox.
  3. Click on Assign access group and choose the desired Access group entry from the drop down menu.

Remove users from an Access group

An admin user of the default Access group can see all existing Access groups and can remove users from them. Admins of custom Access groups can only remove users from their own group.

  1. Click on the Access group from where the users should be removed.
  2. Select via the checkbox the users which should be removed.
  3. Click on Remove from Access group.

Delete Access groups

The default Access group, which is created automatically cannot be deleted. All other Access groups can be deleted through an automatic delete.

Automatic delete

An Access group will be automatically deleted if there are no assets and users assigned to it.

Any questions left?

Ask the community