Access Control: Understanding Permissions

Understanding "Read", "Create", "Write", and "Delete" Permissions

These actions form the foundation of access control, allowing you to finely tune what users can do within a system.

• "Read" allows viewing and accessing data or resources. Users can see information but not modify, create, or delete it. For example, they can view Event Types but cannot make changes to them.

• "Create" action lets users add new resources or data. It allows initiating or authoring new items, such as Users, Events, or Poi within the system.

• "Write" permissions allow users to modify or edit data. Users with "write" access can update or revise information, typically used for making changes to Event Types, Roles, or Measurands.

• "Delete" action allows users to remove resources from the system. Users with this access can delete Users, Events, or other entities.

By assigning these permissions appropriately, you can control who can view, create, modify, and delete data or resources based on their role and responsibilities in the organization.

Permissions on Subjects

In our system, you have the ability to set permissions for various entities, allowing controlled access to specific resources. Here are the main objects on which permissions can be applied:

1. User: This represents individuals or entities within the system, granting access to different system resources.

2. Role: Roles grant access to various resources based on Access-Based Access Control (ABAC) policies. Each role encompasses a set of permissions defining what actions can be performed within the system.

3. Tenant: A representation of the organization to which a user belongs. Tenants are essential for grouping users and managing access based on organizational structures (Organizations)

4. File: An entity representing a document, image, 3D model, or any other file type. Permissions can control who can view, edit, or delete these files.

5. Event: Represents any occurrence or incident within the system, allowing tracking and management of events based on assigned permissions (Events)

6. Eventtypeconfiguration: Configurations associated with different types of events, enabling customization and control over specific event types (How to configure an Event Type).

7. Facility: Represents an item related to a facility within the system, with permissions regulating access to these facility-related resources (HSEQ).

8. Pointofinterest: A place of interest within a hierarchical space, often visualized in a digital twin viewer. Permissions can dictate who can access or modify these points of interest (Points of Interest).

9. Replica: A visual representation of POIs in the digital twin viewer. Permissions control who can view these replicas and related data (Replica).

10. Location: Represents the placement of a POI in a replica, essentially a link entity holding coordinate data. Permissions regulate access to this placement information.

11. Productiondata: The main abstraction representing production nodes and data entries. Permissions manage access to production-related data (Production Data).

12. Measurand: For duty cycle and POI status data from IoT services. Permissions can be applied to control access to this specific type of data.

By setting permissions on these objects, you can tailor access rights and manage user privileges

Basic Access Settings

To set up roles, we begin with a basic set of permissions that are essential for system usage.

Moving forward, the role configuration involves defining the specific tasks an employee with this role is expected to perform and identifying the modules they need to interact with.

Here, we will provide a set of permissions for each system module (or tab):

1. Events tab: access to event and eventtypeconfiguration.

2. Data tab: access to measurand and productiondata

3. Layers: access to facility

4. Point Editor: must be full access to file, pointofinterest, replica, location, facility