English (US) Italiano
Follow

Endian Switchboard Permissions – A Comprehensive Guide

Introduction

Endian Switchboard provides a granular permission management system to control access to resources and functionalities. This document explains how to configure permissions for users and devices, on single and multi-tenant scenarios.

Key Concepts

  • User: A person that utilizes Endian Switchboard services. Synonym for account.
  • User Group: A collection of users. Permissions assigned to a group apply to all its members.
  • Gateway: An Endian device (gateway) connected to the Switchboard (e.g., 4i Edge or UTM).
  • Gateway Group: A collection of gateways. Permissions assigned to a group apply to all its members. Also called device group.
  • Organization: Synonym for tenant. A logical unit that groups users, user groups, gateways, gateway groups, and other resources. Organizations can have sub-organizations, creating a hierarchical structure.
  • Endpoint: A machine that provides a service and is connected to a gateway (e.g., Windows desktop, PLC). Sometimes also called device.
  • Application: A service that users can access on endpoints (e.g., SSH, remote desktop, webserver, generally speaking any TCP/UDP service accessible via the network).
  • Application Profile: A collection of applications.
  • Message: A notification, banner, or agreement shown to users after login.

 

 

Permission Types

User Permissions

Define the actions a user can perform in the Endian Switchboard. These can be assigned in the single user editing interface under the Users menu.

  • Superuser (full control): Grants all user permissions except "Use the API".
  • Manage Users: Create, modify, delete users and user groups. Assign users to groups. A user can only manage other accounts within a group where they have an administrator role, unless they are a superuser.
  • Manage Devices: Create, modify, delete gateways and gateway groups. Assign gateways to groups. A user can only manage gateways within the group where they have manager role, unless they are a superuser.
  • Manage Applications: Create, modify, delete applications and application profiles. View applications of all sub-organizations.
  • Manage Organizations: Available only in multi-tenant environments. Create, modify, delete organizations. Be able to connect and use gateways and endpoints of sub-organizations in the dashboard. Be able to choose an organization while creating new resources.
  • Access to Suborganizations: Be able to use gateways and endpoints of sub-organizations in the dashboard
  • Manage Profiles: Only available if the Endian Management Center (EMC) is enabled. Allows to use the EMC. Requires the "Manage Devices" permission as well.
  • Direct Access to Application: Automatically launch a single application after login. Useful for users that only have to deal with the same Application.
  • Use the API: Interact with the web API exposed by the Switchboard.

 

Device Permissions

Define the type of access a user (or a user-group) has to a gateway. These roles granularly define whether a user is only able to connect to some resources, or also edit their configuration. These permissions can be assigned directly to single gateways, or to entire gateway groups.

They can be assigned under the Devices menu in the single gateway editing interface, or also in the gateway-group editing interface.

Available roles are:

  • Regular User: View the gateway in the dashboard and be able to use its applications.
  • Manager: In addition to what is granted by the User role, allow to also view the gateway in the Devices menu and to modify the gateway's configuration. Requires the "Manage Devices" user permission as well.

For example, if a user is given the “User” role on a gateway, he will only be able to connect to the device from the dashboard. If, on the other hand, he has the “Manage Devices” user permission and is assigned the “Manager” role on the gateway (or on a group the gateway belongs to), he will also be able to edit the gateway configuration in the Devices section.

Roles in User Groups

Define the type of access a user has to other users and user-groups. These roles granularly define, in case somebody has the “Manage Users” user permission, which users he can actually edit and what is allowed to do on user-groups.

These roles can be configured in the single user-group editing interface, under the Users menu.

Available roles are:

  • Member: Normal user of the group. The user has access to the resources that the group is allowed to connect to.
  • Administrator: In addition to what is granted by normal user membership, this role allows users to also edit other members of the same group, their roles, and the group itself. Requires the "Manage Users" user permission.

The same logic described for the device permissions applies here: the Administrator role allows, if coupled with the user permission “Manage Users”, to modify a subset of users.

 

Configuration Examples

1. Single-tenant, complex, industrial scenario

This is the case in which you administer a possibly large set of gateways and users, but they all belong to the same organizational unit, or corporation.

Fine-grained access can still be granted though, by playing well with permissions and groups. Let’s see quite a complex example which showcases all features of the access control system in an Endian Switchboard.

For example, let's say your company has two production sites, one being the headquarter where in addition to production you also have an IT department, and another one where you just have production facilities. On both sides you have two production lines and different subsets of users:

  • A group of workers responsible for one specific production line.
  • Another group of workers responsible for another line.
  • A group of supervisors to coordinate both lines.

On each side, each group of workers should only deal with their own production line. Supervisors should instead be allowed to deal with both lines, add new workers, remove existing ones, and also reassign workers from one line to the other. However, neither workers nor supervisors from one site should be able to mess up things on the other site. Only IT should be able to manage both.

The suggested way to implement this particular access control scenario, is to act as follows. You, the Switchboard administrator should:

  1. Create as many users with “Superuser” permissions as needed, depending on the needs of the IT department. These will be all Switchboard administrators. They can all perform the same tasks as the current administrator who creates them.
  2. Create one user-group for every site, just to hold the supervisors.
  3. Create one supervisor user for every site and add it to the supervisors group with the role “Administrator”. Assign them the permissions “Manage Users”, “Manage Devices”, “Manage Applications”.

At this point, the supervisors can freely and independently:

  1. Create other supervisor users, and add them to their group with the “Administrator” role. They can grant the new users at most the same permissions as they have, but they could potentially restrict them by not allowing them, for example, to “Manage Devices” and “Manage Applications”, which are usually deemed more suitable for technical staff.
  2. Create new user-groups for workers, and add themselves and the other supervisors as “Administrators” of these groups. This will grant the supervisors the ability to add and remove workers from these groups.
  3. Create new worker users, with no permissions, and add them to the worker user-groups with simple “User” roles. This allows the workers to connect to the Applications in their production line from within the Dashboard.
  4. Create gateway-groups, to group together gateways from within the same production line. Link with a standard “User” role the appropriate worker user-groups to the gateway-group. Add with a “Manager” role the supervisor user-group.

Now, at this point, either a “Superuser” from the IT, or a supervisor with the “Manage Devices” permission, can create new gateways and add them to the appropriate gateway-groups to automatically grant workers and supervisors access to it. The gateways can be either provisioned via USB, or remotely via the Plug&Connect feature.

2. Single-tenant, simpler, industrial scenario

This example differs from the previous one from the perspective of the Superusers, who do not delegate to supervisors both the management of users and gateways, and can handle by themselves the devices’ part, but rely on some administrative staff to manage the user base. The Superusers will still hold the responsibility to grant access permissions correctly, but only at group level. Administrative staff will then handle group membership.

Let’s start, as previously, by having the Switchboard administrator create other Superuser accounts to share the burden on the system administration. At this point, a Superuser should:

  1. Create and provision all the gateways, either via USB or remotely via the Plug&Connect feature.
  2. Create the administrative staff accounts, grant them “Manage Users” permission.
  3. Create all user-groups needed to hold the non-administrative user base, and add all the administrative staff as “Administrators” of these groups.
  4. Bind the user-groups to the devices, with “Regular user” role.

Now, the administrative users can create new users, assign them to the appropriate user-groups, move them from one group to another, delete them.

The Superuser is now only involved when some changes to the access control model must be performed, e.g. restrict/increase the access a specific user-group has over the set of gateways, or add new gateways to the equation, etc.

A Superuser could even go further, and delegate one single administrative user the responsibility to manage their own peers:

  1. Create a user-group for administrative users
  2. Add the user as “Administrator”
  3. Add all the other ones as standard “Member”s

Now the empowered administrative user can add/delete also administrative staff.

3. Multi-tenant scenario

The multi-tenancy feature of an Endian Switchboard allows to handle more complex situations, where the gateway and user base do not belong to a single company, and there is the explicit need that every company (tenant) has its own Superuser, which should only be limited to administering their own resources.

Consider a scenario where you have multiple occurrences of the previous examples, all handled by one single Switchboard. Here the task of the Switchboard main administrator is in some sense much simpler, because they can delegate to each Superuser of each single Organization the burden to set up their own environment. Thus, if a new Organization is needed, the Switchboard administrator should only:

  1. Create the new Organization
  2. Create a new “Superuser” in that Organization

Once the new Superuser logs in, he can then start doing all the tasks described by the previous two examples.

Frequently Asked Questions (FAQ)

1. How can I manage the users of my organization?

You should have either

  • the “Superuser” permission, or
  • the "Manage Users" permission, and also the “Administrator” role on a user-group which the users you want to manage belong to

If you need to create new users, you must assign them to a user group that you are "Administrator" of, or otherwise you won’t be able to further manage them after creation. This is a typical corner case that is described further in the next FAQ.

2. I just created a new user, but cannot see it in the list, why does this happen?

This usually happens because, while creating the new user, you did not assign it to a user-group that you are “Administrator” of. By doing so, you implicitly refused to be able to manage this new account. The only way to fix this is to reach out to a “Superuser”.

3. How can I prevent a user from modifying the configuration of a gateway?

If the user does not have the “Manage Devices” permission, you don’t have to do anything. The user cannot edit any gateway configuration at all.

On the contrary, you have to make sure to assign them a regular “User" instead of "Manager" role on the gateway (or gateway-group). This allows the user to connect to the gateway from the dashboard but not modify its settings.

4. What happens if I assign a user to multiple user groups with different permissions?

A user with memberships in multiple groups inherits the combined permissions of all those groups. This means they will have the most permissive access level granted by any of their group memberships. For example, if one group has "regular user" access to a device and another group has "Manager" access to the same device, the user will effectively have "Manager" access.

 

Have more questions? Submit a request

Comments