Skip to main content
Skip table of contents

Managing user roles and permissions

This article explains how a Tenant Owner can assign User Roles in order to permit or restrict a user’s access to tenant resources.

User Roles are pre-configured sets of access permissions. Each of these permissions allows specific actions on specific resources. User Roles group permissions into sets of permissions that are required for the common IoT job duties. By correctly assigning user roles, you can ensure that users will only have access to the tenant resources they need. In the thingsHub, there are two general categories of user roles, End User Roles and Technical Roles.

  • End User Roles include access permissions that have been grouped according to job duties related to non-technical business aspects of the thingsHub tenant. These include the permissions necessary to perform job duties such as managing IoT devices, tracking assets, or viewing data visualizations. End User Roles also include all required, but only indirectly associated permissions, i.e. because device management user is allowed to assign a driver to a device, this User Role also includes all required permissions to view drivers in the tenant.

    There are three recurring types of End User Roles:

    • Owner. An Owner is the person responsible for this aspect of the system, e.g. a Device Management Owner is fully responsible for managing IoT devices using the thingsHub. An Owner Role usually allows a user to create, delete, edit, and view the selected resource.

    • User. A User is a person who works with the feature regularly, so needs to be able to actively work with the system, but who is not ultimately responsible for the feature. A User Role usually allows a user to edit & view the selected resource, but not to create or delete a resource.

    • Guest. A guest is a user who has needs to inspect resources, e.g. in case something does not work as expected, but he’s not allowed to change anything. A Guest Role allows a user to view the selected resource, but not edit, create, or delete them.

  • Technical Roles include fine-grained sets of permissions that have been grouped according to the underlying technical resources. These roles are not meant to be conveniently used for human users. They are primarily meant to be used for machine-to-machine communication, but can also be used to enhance a user’s End User Role within a more fine-grained manner than is possible with only End User Roles.

    • Technical Roles always come in (at most) three types:

      • Administrator. Allows a user to create, delete, edit, and view the selected kind of resource.

      • Editor. Allows a user to edit & view the selected kind of resource. 

      • Viewer. Allows a user to view the selected kind of resource.

Notes:

  • End User Roles are highly recommended for most users.

  • Technical Roles require technical expertise to configure correctly. For example, it is possible to assign user roles that enables a person the ability to assign a driver to a device, while preventing them from retrieving the list of existing devices. This means that the driver selection field would be empty for this user, and that they effectively could not assign a driver to a device using the UI.


End-user roles recommendations

  • Tenant Owner. A user with nearly unlimited access to all of a tenant’s features. This role should only be provided to a few, experienced users. Adding any other role to a Tenant Owner is superfluous, as the Tenant Owner already has all permissions of all other users.

  • Asset Tracking Owner. A user who is responsible for asset tracking and needs to be able to manage sites and zones, provision asset trackers and tags, and manage assets.

  • Asset Tracking Users. A user who needs to find tracked assets and bind or unbind asset trackers, but does not need to be able to manange sites, assets, or asset trackers.

  • Device Management Owner. A user who is responsible for managing devices and needs to be able to do anything device related.

  • Device Management User. A user who does not need to be able to add new devices or remove devices, but needs to be able to assign drivers, configure devices etc.

  • Device Management Guest. A user who needs to be able to inspect a device status, but should not be able to modify (and thereby break) anything.

  • Visualizer Access. This is a special role meant that needs to be assigned to any user who want’s to view or edit dashboards, not matter if this on in the thingsHub Dashboard’s page or the Dashboard Editor.

Note that multiple roles can be assigned to the same user, e.g. a user might be Asset Tracking Owner and Device Management Owner, so thatI can provision devices and activate them for asset tracking, too.


Accessing user roles settings

Step 1) Go to Tenant Settings > User Management. From the User Management page, select the Username or Edit button.

Once the user’s details page is opened, roles can be edited on the right-hand side of the screen.

User Roles


Add additional user roles

Step 1) From the User Management page, select the Username or Edit button.

Step 2) In the User Roles section, choose a role from the Add additional user role drop-down list. Then select the Add Role button. The newly selected role will immediately appear in the User Roles table.


Remove user roles

Step 1) From the User Management page, select the Username or Edit button.

Step 2) In the User Roles section of the User Settings dialog, select the Delete button in the row corresponding to the role you want to delete. Then press Ok to confirm the user role deletion.


Related articles:

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.