For a Platform with Delegated Administration enabled, the security for objects is similar to that for a Platform without Delegated Administration. The main difference is that an additional layer of security is provided for most objects: when objects are created in a Delegated Admin Unit (DA Unit), they are visible only within that unit and within any parent unit of that unit. Certain users can see all objects in the Platform and perform all operations on them, no matter where the objects were created. These users can be a Principal User, who is an Axeda® Connected Product Management Applications administrator who has access to all objects in the Platform, or a non-admin user who belongs to the Root DA Unit (also referred to as the "primary" Platform), and who has the appropriate privileges to the applications and objects.
Within each DA Unit, assets are still assigned to asset groups, users to user groups, and asset groups to user groups to restrict access to assets. In addition, the objects directly related to assets - Organizations, Locations, Contacts, Data Items, and Cases - are controlled by asset group assignments to user groups and by the privileges to perform operations assigned to user groups within each DA Unit or in the "primary" Platform. Access to most other objects within a DA Unit (that is, the abilities to see them and perform operations on them) is restricted by the applications privileges assigned to the user groups within that DA Unit.
Important! DA visibility restrictions and privileges are NOT fully supported for all objects. See Supported Objects for Delegated Administration for more information.
Note: The following objects are visible across DA Units, as long as the DA user groups have the privilege to view them: Asset States, Asset State Groups, Asset Conditions, and Upload Requests. Access to these objects and the ability to perform operations on them is the same as for a Platform without Delegated Administration. To prevent DA users from seeing these objects, make sure that their DA user groups do not have the privileges to view them. For the specific privileges, refer to the topics for each of these objects (follow the links in the section below, Object_Specifics_DA_security).
For all objects covered by DA security, when a user from a DA Unit creates an object, the object is flagged as belonging to that unit. When users from a DA Unit search for these objects, the Platform returns only the objects that are accessible to their unit or to a child DA Unit of their unit.
"Primary" Platform users (users who are in the Root DA Unit) do NOT have the same restrictions as users in DA Units. When "primary" Platform users create objects, the objects are generally NOT visible to users who are members of DA Units; to learn about the visibility of each object, refer to the section below, Object_Specifics_DA_security. Objects created in the "primary" Platform context are assigned to the Root Delegated Admin Unit.
Certain objects can be associated with or applied to models and assets. These objects include Expression Rules, State Machines, Rule Timers, and Threshold Rules. It is important to note that, for these objects, the association does NOT affect the visibility of the object. For example, if user in DA Unit 1 creates an expression rule and applies it to model XYZ, that relationship does NOT mean that any user with access to model XYZ can see that expression rule. Only users in DA Unit 1, "primary" Platform users, and users in a parent-DA Unit of DA Unit 1 can see the expression rule. In addition, when users in DA Unit 1 are associating objects with models and assets, the list of available models or assets displays only those models or assets that belong to asset groups assigned to their user groups.
Notes: Expression rules configured to run custom objects will run in the context of the Delegated Administrator for the DA Unit in which the rule author is defined. For complete information about running custom objects from expression rules, refer to the topic, Custom Object Overview. For information on how object names are displayed when Delegated Administration is enabled, refer to Names of Objects in DA Units.
To help you understand these concepts, consider an example Platform configured for Delegated Administration. In the Platform are two Delegated Admin Units at the same level ("siblings"), DAU-1 and DAU-2. Asset Group 1 (AG1) is assigned to DAU-1 and Asset Group 2 (AG2) is assigned to DAU-2. The parent Asset Group of AG1 and AG2 is Root. Remember that the visibility of objects depends on who creates the objects, as follows:
o If a Principal user creates an expression rule, other principal users can view the expression rule, according to user group privileges. However, users in DAU-1 and in DAU-2 cannot see this expression rule, regardless of the privileges assigned to their user groups. The processing of the expression rule is NOT affected by its visibility; the rule is processed for those models and assets to which it has been applied.
o If a user in DAU-1 creates an expression rule, users in DAU-1 and any child DA Units of DAU-1 can see the expression rule, as long as they have privileges to view expression rules. In addition, Principal users can view the expression rule. Users in DAU-2 cannot see the expression rule, regardless of the privileges in effect for their respective user groups. Again, the processing of the expression rule is NOT affected by its visibility.
Important!
o If a user in DAU-1 creates an expression rule using the Name, RuleX, users in DAU-2 cannot see this expression rule. If a user in DAU-2 tries to create an expression rule with the exact same name (RuleX), the duplication is allowed because the name of the DA Unit is pre-pended to the name of the expression rule, making the name unique in the Platform. For RuleX created in DAU-1, the name of the rule is DAU-1::RuleX, and for RuleX created in DAU-2, the name is DAU-2::RuleX.
o Access to an Organization depends on access to the asset (s) assigned to that Organization. In addition, an Organization can have many Locations. Every Location is specific to an Organization. In addition Contacts are associated with a Location and its Organization. While access to an Organization depends directly on access to the asset(s) assigned to the Organization, access to Locations and Contacts depends on access to the Organization.
o If
users are allowed to modify information for an asset from the Location
module of the Service application
or from the Configuration application, it is possible for changes to the
organization or location of an asset to change the ability of users to
access the asset (organizations and locations can be assigned to user
groups, limiting the access of users in a user group to the assets associated
with the organizations and/or locations assigned to the user group).
In addition, if dynamic group definitions are enabled, it is possible for
changes to the values of Asset Properties from the Asset dashboard to
change the Asset Group to which the asset belongs, thereby removing the
ability of the users to continue to access the asset.
Platform administrators can prevent inadvertent changes in access to assets
because of changes to organizations and locations by preventing users
of the Service application
from editing this information (controlled by the privilege, Configuration
- Asset - Modify). They can also prevent inadvertent changes to the Asset
Group to which an asset is assigned because of changes to the Property
values by not granting the privilege,
Service - Asset
Property Value - Modify, to the appropriate User Groups.
Each of the following links for an object displays a table that shows the different types of users in a Platform with Delegated Administration enabled and the access that these users have to the object; the objects are shown in alphabetical order:
o Actions
o Asset State and Asset State Groups
o Cases
o Contacts
o Custom Components (Software Management application)
o Data items and Data Item Groups
o Regions
o Rules
o Scripts
o Software Management Deployments
o Software Management Packages
o Systems