Entirety comes with two different ways to assign permissions to users: Roles and Groups. Roles come with a set of permissions that are application-wide while groups grant project-wide permissions. Both, roles and groups, follow a hierarchical approach, meaning that a user with a higher role or group can do everything a user with a lower role or group can do. In the following, first, the different roles and groups are described, starting with the highest set of permissions. Second, the different ways of how to create users and assign roles for both, local authentication and OIDC authentication mode, are described.
Reminder: Roles are application-wide permissions and can be set either in the admin panel of Entirety or the OIDC provider.
- Create / edit / delete all projects
- Note: Only server admins can edit the fiware-service. In a case where Entirety is connected with a FIWARE cluster directly (not through a PEP proxy), this means Server Admins can see all data within the platform!
- Assign / change project owner to projects
- Note: By default, the project creator is first assigned as project owner.
- Currently without function
- Eligible to be assigned as project owner to projects
- Access to Entirety
- Note: Only relevant for OIDC authentication. In local authentication mode, users are always assigned user role implicitly.
- Eligible to be assigned as project maintainer, project user or project viewer for projects
Reminder: Groups are project-bound permissions and can be set in the project edit page of each project.
- (Un-)Assign project maintainer to project
- Note: Users with server admin role or the current project owner are not eligible.
- Edit project details, e.g. name, description, etc., except for fiware-service.
- (Un-)Assign project user and project viewer to project
- Note: Users with server admin role or the current project owner are not eligible.
- Access to project data via loaded modules, e.g. entities, devices, semantics, etc.
- Add / edit / delete entities, devices, notifications, etc.
- Read-only access to project data via loaded modules, e.g. entities, devices, semantics, etc.
There are two ways to create users and assign roles depending on the authentication mode: Local authentication and OIDC authentication. The authentication mode can be set in the Entirety settings file.
In local authentication mode, users are created and managed in the admin panel of Entirety.
The admin panel is available at http://<entirety-ip>:<entirety-port>/admin/ and can be accessed by admin users only. By default, the admin user is created during the first start of Entirety.
Further admin users can be assigned the staff status in the user edit page.
Roles can be assigned to users in the user's edit page.
In OIDC authentication mode, users are created and managed in the OIDC provider. Only users with the user role assigned are able to login to Entirety. Check your OIDC provider documentation for further details. In case you are using keycloak as OIDC provider, we provide a short tutorial with the necessary steps in the Entirety step-by-step guide.