Atom
Access Control

Roles

Role-based access using permission blocks and assignments.

Roles are the normal way to give access in Atom.

A role is a friendly name for one or more permission blocks. A role assignment gives that role to an entity or principal group.

Example

Tenant: factory-a

Object Group: Plant-A
  channel telemetry
  client meter-001

Role: Plant-A Publisher
  Permission Block:
    Scope: channels inside Plant-A
    Actions: read, publish
    Effect: allow

Assignment:
  Give Plant-A Publisher to meter-001

That means meter-001 can read and publish to channels covered by the Plant-A permission block.

Role Parts

PartMeaning
RoleName shown to operators, such as Plant-A Publisher.
Permission BlockThe actual rule attached to the role.
Role AssignmentThe row that gives the role to an entity or principal group.

Principal Groups

Use principal groups when many subjects should receive the same role.

Principal Group: Field Devices
  meter-001
  meter-002
  meter-003

Assignment:
  Give Plant-A Publisher to Field Devices

Each member receives the role through the group. Removing a device from the group removes that inherited access.

Object Groups

Use object groups when one rule should apply to many protected objects.

Object Group: Plant-A
  channel telemetry
  channel alerts
  client meter-001

A permission block can target direct objects in the group, descendant objects, child groups, or descendant groups.

Admin Access

Platform administrators use permission blocks with broad scopes and management actions. Tenant administrators use tenant-scoped permission blocks. The same evaluation engine handles both.

Previous

Access Control

Next

Conditions

On this page