Using role-based access control
Roles are sets of permissions that you can use to grant or restrict access to specific operations. You can use roles to manage permissions for groups of users, applications, and gateways for the IoT tool.
User roles
You can assign user roles when you add, invite, or register a user in the IoT tool. You can also assign or change user roles at any time by using the IoT tool user interface. For more information about assigning a role to a user, see User roles.
The following standard user roles are available:
| User role | Description |
|---|---|
| Administrator | A 'super-user' role that grants access to all user-related APIs. Administrators cannot access operations that are restricted to devices and applications. |
| Operator | Intended for front-end organization users. Grants access to most organization operations, access control operations, third-party operations, and risk management operations. |
| Developer | Grants unrestricted access to device operations, log operations, cache operations, historian operations, and third-party service operations. The role provides limited access to organization, access control, and risk management operations. |
| Reader | The default user role. Grants limited access to operations that are available to all users. |
For more information about the user roles, see User roles.
Application roles
You can assign application roles to grant or deny your applications access to specific operations. All application roles deny access to the following operations:
- All risk management operations
- Configure storage parameters
- Configure authentication providers
- Create, update, or delete email configuration
The following standard application roles are available:
| Application role | Description |
|---|---|
| Standard | The default application role. Grants access to most application operations but no user or role operations. |
| Operations | Grants access to the broadest range of operations, but denies access to subscribe or publish operations. |
| Backend Trusted | Intended for applications that do not require interaction from the systems operator. Denies access to device management, organization, role, or extension operations. |
| Data Processor | Intended for applications that perform analytics and data processing. Data processor applications are granted limited access to organization operations and user operations. |
| Visualization | Intended for applications that are responsible for generating visualizations of data. Visualization applications have access to live and stored data operations and dashboard operations. |
| Device | Intended for applications that take the role of devices; that is, they provide a source of data that is sent to the IoT tool as though it is a device. Device applications are granted only limited access to operations. |
For more information about the operations access of application roles, see Application roles.
Gateway roles
Gateways have a limited number of roles that govern the definition of the gateway and the ability to register devices to the IoT tool.
The following standard gateway roles are available:
| Gateway role | Description |
|---|---|
| Standard | Grants restricted access to operations. Standard gateways are limited to acting on behalf of devices that are contained within the gateways assigned resource group. |
| Privileged | The default gateway role. Intended for trusted gateways and allows privileged gateways to add devices to the IoT tool. It grants access to the relevant operations to add, update, and manage devices and device properties, but has no access to other operations. |
For more information about the operations access of gateway roles, see Gateway Roles.