RBAC & Permissions
TwinEdge Enterprise provides granular role-based access control (RBAC) to manage user permissions across your organization.
Enterprise Feature
Custom roles and advanced RBAC are available on Enterprise plans. Professional plans include predefined roles.
Overview
RBAC in TwinEdge controls:
- What resources users can access (assets, dashboards, data)
- What actions users can perform (view, edit, delete, admin)
- What data users can see (organization-wide vs. scoped)
Built-in Roles
Admin
Full access to all features and settings.
Permissions:
- All data sources: Full access
- All dashboards: Create, edit, delete
- Alerts: Create, manage, delete
- ML Models: Full access
- Fleet Management: Full access
- Settings: Full access
- Users: Manage, invite, remove
Operator
Day-to-day operations access.
Permissions:
- Data sources: View, configure (no delete)
- Dashboards: Create, edit own
- Alerts: Create, acknowledge
- ML Models: View, deploy
- Fleet Management: View, send commands
- Settings: Limited
Viewer
Read-only access to data and dashboards.
Permissions:
- Data sources: View only
- Dashboards: View only
- Alerts: View, acknowledge
- ML Models: View only
- Fleet Management: View only
- Settings: None
Analyst (Professional+)
Data analysis and reporting access.
Permissions:
- Data sources: View
- Dashboards: Create, edit own
- Query Builder: Full access
- Reports: Create, schedule
- ML Models: Train, view
- Alerts: View
Custom Roles (Enterprise)
Creating Custom Roles
- Go to Settings → Roles
- Click Create Role
- Configure:
- Name: Role identifier
- Description: Role purpose
- Permissions: Select granular permissions
Permission Categories
Data Sources
| Permission | Description |
|---|---|
data_sources:view | View data sources |
data_sources:create | Create new data sources |
data_sources:edit | Edit configuration |
data_sources:delete | Delete data sources |
data_sources:browse_tags | Browse and select tags |
Telemetry
| Permission | Description |
|---|---|
telemetry:read | Read telemetry data |
telemetry:write | Ingest telemetry |
telemetry:export | Export data |
telemetry:query | Execute queries |
Dashboards
| Permission | Description |
|---|---|
dashboards:view | View dashboards |
dashboards:create | Create dashboards |
dashboards:edit | Edit dashboards |
dashboards:delete | Delete dashboards |
dashboards:share | Share dashboards |
Alerts
| Permission | Description |
|---|---|
alerts:view | View alerts |
alerts:acknowledge | Acknowledge alerts |
alerts:create | Create alert rules |
alerts:edit | Edit alert rules |
alerts:delete | Delete alert rules |
ML Models
| Permission | Description |
|---|---|
ml:view | View models |
ml:train | Start training jobs |
ml:deploy | Deploy models |
ml:delete | Delete models |
Fleet
| Permission | Description |
|---|---|
fleet:view | View devices |
fleet:manage | Add/remove devices |
fleet:command | Send commands |
fleet:ota | Manage OTA updates |
Admin
| Permission | Description |
|---|---|
users:view | View users |
users:manage | Manage users |
roles:manage | Manage roles |
settings:view | View settings |
settings:edit | Edit settings |
billing:view | View billing |
billing:manage | Manage billing |
Example: Quality Engineer Role
{
"name": "quality_engineer",
"description": "Quality control and analysis",
"permissions": [
"data_sources:view",
"telemetry:read",
"telemetry:query",
"telemetry:export",
"dashboards:view",
"dashboards:create",
"dashboards:edit",
"alerts:view",
"alerts:acknowledge",
"ml:view"
]
}
Example: Maintenance Technician Role
{
"name": "maintenance_tech",
"description": "Equipment maintenance",
"permissions": [
"data_sources:view",
"telemetry:read",
"dashboards:view",
"alerts:view",
"alerts:acknowledge",
"fleet:view",
"fleet:command"
]
}
Resource-Level Permissions
Data Source Scoping
Limit users to specific data sources:
- Go to Settings → Users
- Select a user
- Click Resource Access
- Select allowed data sources
{
"user_id": "user-123",
"resource_scope": {
"data_sources": ["ds-456", "ds-789"],
"all_data_sources": false
}
}
Dashboard Sharing
Control dashboard visibility:
- Private: Only creator can access
- Team: Specific users/roles can access
- Organization: All organization members
Asset Groups
Create asset groups for access control:
- Go to Settings → Asset Groups
- Create groups (e.g., "Production Line A", "Building 1")
- Assign assets to groups
- Grant role access to groups
User Management
Assigning Roles
- Go to Settings → Users
- Select a user
- Choose Role: Select from available roles
- Optionally: Add resource scope restrictions
Multiple Roles
Users can have multiple roles (permissions combine):
{
"user_id": "user-123",
"roles": ["operator", "analyst"]
}
Role Hierarchy
Define role inheritance:
roles:
admin:
inherits: [] # Top level, all permissions
operator:
inherits: ["viewer"]
permissions: [...]
viewer:
inherits: []
permissions: [...]
API Access Control
API Key Permissions
API keys inherit user permissions or have custom scopes:
{
"name": "Integration Key",
"user_id": "user-123",
"scope": "inherit" // Uses user's permissions
}
Or with custom scope:
{
"name": "Read-Only Key",
"user_id": "user-123",
"scope": "custom",
"permissions": ["telemetry:read", "dashboards:view"]
}
Service Accounts
Create service accounts for integrations:
- Go to Settings → Service Accounts
- Click Create Service Account
- Assign role: Limited to non-admin roles
- Generate API key
Audit Trail
All permission changes are logged:
- Role assignments
- Permission changes
- Resource access changes
- Failed authorization attempts
View in Settings → Audit Log
Best Practices
Principle of Least Privilege
- Start with minimal permissions
- Add permissions as needed
- Review permissions regularly
- Remove unused access
Role Design
- Group by function: Create roles matching job functions
- Avoid too granular: Too many roles are hard to manage
- Document purpose: Include descriptions
- Test before deploying: Verify permissions work as expected
Regular Reviews
- Monthly: Review user role assignments
- Quarterly: Audit custom roles
- On change: Review when employees change roles
Emergency Access
Set up break-glass procedures:
- Create emergency admin account
- Store credentials securely
- Enable only when needed
- Audit all emergency access
Troubleshooting
"Access Denied" Errors
- Check user's role
- Verify resource scope
- Check permission in role
- Review audit log for details
Permission Not Working
- User may need to log out/in
- Check for conflicting roles
- Verify role is active
Role Changes Not Applied
- Changes take effect on next login
- Force session refresh if needed
- Check for caching issues
API Reference
List Roles
GET /api/v1/roles
Authorization: Bearer YOUR_API_KEY
Create Custom Role
POST /api/v1/roles
Authorization: Bearer YOUR_API_KEY
Content-Type: application/json
{
"name": "custom_role",
"description": "Custom role description",
"permissions": ["telemetry:read", "dashboards:view"]
}
Assign Role to User
PUT /api/v1/users/{id}/roles
Authorization: Bearer YOUR_API_KEY
Content-Type: application/json
{
"roles": ["operator", "analyst"]
}
Next Steps
- SSO Configuration - Integrate with identity providers
- Audit Logging - Track permission usage
- White-Labeling - Customize branding