Access to, and privileges in, the various application pages is controlled by security configurations.
The Axeda® Platform retrieves authentications (user accounts and user group accounts) from the configured directory server database to determine which users and user groups have any level of access to the Axeda® Connected Product Management Applications. If an individual is not a member of an Axeda Applications user group in the directory server database, then that person does not have a valid user account and cannot log into the Applications. For more information about setting up users and user groups in the directory server, refer to the installation guide for your Platform.
Within the Axeda® Administration application, privileges are assigned to specific user groups. These privileges specify what the users in those user groups can do within the applications, including which operations they can perform and which pages or tools they can use or view. For example, the ability to run searches or view the results of searches is controlled by privileges. In addition, the abilities to add rules, edit actions, and execute actions are controlled by privileges.
User Groups - User Group configurations define what information users can "see" and access in the various tools and pages to which they have access. Privileges is just one component of a user group configuration (see View and assign Applications privileges to this user group page). Privileges control abilities to configure and run rules, to configure, run, and view reports, to view and take actions in the Axeda® Service application pages, and so forth. User Group configurations also define the Users whose privileges are set by being members of the user groups. In addition, the User Group configuration can include other user groups and data item groups.
Asset security - User Group configurations
can control access to assets by associating the following types of objects
with the group: Asset Groups, Regions, Organizations, and Locations. When
creating a user group, you are prompted to "enable" or "disable"
each of these types of associated objects.
When determining the assets to which users should have access, the Platform
looks at the assets associated with enabled
objects and ignores assets associated with disabled
objects. If none of the associated objects is enabled for a user group,
members of that user group cannot access any assets. If one or more associated
objects are enabled but no assets are assigned to those objects, then
members of the user group cannot access any assets. Any search or
report shows only the data for assets, gateways, or models
to which the logged in user has access.
Note: Only users with access to organizations can define locations for those organizations. If a user does not have access to an organization, the Locations module will not show any locations for assignment. The information shown in the Locations module is based on the selected organizations; this module dependency is true only for the Locations module.
To
enable users to access assets assigned to the asset groups and regions
associated with a user group:
You must enable Asset Groups and
Regions for the user group. Enabling
these objects ensures that the Platform will find all assets that are
common to the asset groups and regions associated with this user group.
Only assets assigned to the asset groups or regions associated with the
user group and that are common among the associated objects are available
to users in this user group.
To
enable users to access only those assets assigned to the organizations
associated with this user group:
You must enable only Organizations
for the user group. Enabling only this object ensures that the Platform
will find all assets assigned to the organizations for this user group
and make those assets available to the users in this user group.
To
prevent users from accessing any asset:
Do not enable any associated objects for the user group; or enable several
associated objects but ensure that those objects do not have any assets
in common; or enable a single associated object that has no assigned assets.
Custom objects can use the Axeda Platform SDK and Groovy scripting to perform various operations. The Axeda Platform uses Java Security to prevent Groovy scripting from accessing the file system of the Platform.
Configuring a single user in multiple user groups provides one way to handle asset security. Different objects with different sets of associated assets can be assigned to the different user groups. Then, when asset security is configured for the user groups, the user will have access to all assets of all assigned user group objects, rather than to the "common set of assets" found for the assigned objects in a single user group.
Data Item groups - Data items defined in data item groups can be "seen" only by users defined in the associated user group(s). Data item groups can provide another level of security for assets. In addition, only data items configured with the "Visible" attribute can be seen in any of the applications pages.
For information about security for objects in the Platform when Delegated Administration is disabled, refer to Security for Objects in Axeda® Connected Product Management Applications and for information about security for these objects when Delegated Administration is enabled, refer to Security for Objects in Delegated Administration Units.