Nexeed Documentations
Search
Multitenant Access Control 1.33.0
  • Integration Guide
  • Core Services
    • ID Builder
      • 3.6
      • 3.5
    • Deviation Processor
      • 1.10
      • 1.9
      • 1.8
    • Multitenant Access Control
      • 1.34.0
      • 1.33.0
      • 1.32.0
    • Notification Service
      • 1.27
      • 1.26
    • Ticket Management
      • 7.17.1
      • 7.17.0
      • 7.16.0
    • Web Portal
      • 5.21
      • 5.20
    • Block Management
  • Shopfloor Management
    • Global Production Overview
      • 5.8
      • 5.7
      • 5.6
    • Shopfloor Management Essentials
  • Machine & Equipment
    • Condition Monitoring
      • 4.6.0
      • 4.5.1
      • 4.5.0
      • 4.4.1
      • 4.4.0
    • Tool Management
      • 2.9
      • 2.8
      • 2.7
    • Maintenance Management
  • Product & Quality
    • Product Setup Management
      • 3.10
      • 3.8
    • Part Traceability
    • Process Quality
    • Setup Specs
  • Execution
    • Line Control
    • Material Management
      • 3.9
      • 3.8
      • 3.7
    • Order Management
      • 5.9
      • 5.8
      • 5.7
  • Intralogistics
    • Transport- & Stockmanagement
      • 4.2.0
      • 4.0.2
  • Machine & Equipment
    • Condition Monitoring
      • 4.6.0
      • 4.5.1
      • 4.5.0
      • 4.4.1
      • 4.4.0
    • Maintenance Management
  • Enterprise & Shopfloor Integration
    • Archiving Bridge
    • ERP Connectivity
      • 4.12.0
      • 4.11.0
      • 4.10.0
    • Data Publisher
    • Information Router
    • Master Data Management
      • 8.5.1
      • 8.5.0
      • 8.4.2
      • 8.4.1
      • 8.4.0
    • Orchestrator

Nexeed
Multitenant Access Control

    • Introduction
    • Concepts
      • Authentication
      • Authorization
      • Resources
      • Roles
      • Sharing
    • Getting started
      • Registration
      • Authentication
      • Authorization
      • Multitenancy
    • How-to
      • Get & handle tokens
      • OAuth 2.0 for Mobile and Native Apps
      • Evolve authorization in your application lifecycle
      • Use Web Core for user login
      • Handle our integration events
      • Do automated testing
      • Integrating with other environments
    • Deep dives
      • OAuth2 and its flows
      • OpenID Connect endpoints
    • Troubleshooting
    • Glossary
    • API documentations
      • HTTP API
      • Event API
  • Multitenant Access Control
  • Concepts
  • Roles
1.34.0 1.33.0 1.32.0

Roles

Multitenant Access Control enables a solution to manage authorization for their resources using RBAC (Role Based Access Control). The definition and rules for the creation, management and sharing of roles are explained in this section.

In a RBAC based system, roles are a first class citizen and control how data can be accessed by a set of users of an organization. In combination with an application’s access control list, roles enable authorization for protected resources. The authorization domain model specifies how roles interact with other entities in the system.

How roles interact with the rest of the system

Roles are assigned to users, applications (e.g. for service-to-service authentication) and groups.

  • Groups, users and applications can have multiple roles assigned.

  • Roles assigned to groups are inherited to subgroups.

  • Roles need to be assigned to applications to access other applications.

  • Roles indicate a certain job / position / area of work in an organization (e.g. software-developer, project-manager, …​)

  • Very specific and fine-grained roles like "dashboard-reader" can

    • lead to a huge amount of roles and

    • make it tough to assign all required privileges to a user for a new job / position.

Resource Access Permissions grant resource privileges to roles.

  • This means that roles define who gets to access what

  • Access to resources is transitive: Resources are protected by resource access permissions, resource access permissions are granted to roles, roles are assigned to users and/or clients

ACL Entries are derived from roles

  • In contrast to a traditional RBAC approach, where roles are defined on a protected resource of the software (e.g. a role defined on a specific REST controller or controller method) and matched against the roles of a user, Multitenant Access Control allows for a more flexible authorization. In order to do this, the required role to access a protected resource is defined in Multitenant Access Control itself - separately for each tenant. The information about which role is allowed to access which protected resource is transferred to the resource servers via an ACL.

  • The access control lists (ACL) allow applications to decide whether access to a protected resource should be granted based on a subject’s roles. To decide if a subject is permitted to access a protected resource, resource servers need to match the subject’s roles against the roles which are specified in the set of ACL entries for the requested resource.

Roles consist of a name and a description, with the name being a unique identifier. To ensure the uniqueness of a role, a URN specification which includes a custom Multitenant Access Control namespace and tenant identifiers is used.

Types

There are two types of roles.

Application roles

Application roles are a convenience functionality which allow applications to pre-define roles which grant access to static resources.
Especially for applications with many fine-grained resources it might make sense to use this functionality in order to help users manage access to the application’s functions on a coarser level.

Example:
An application can restrict the access to its data (like "all measurements") or functionality (like reporting) by registering them as resources.
In addition, the application can register application roles like 'Admin' which allow access to the registered resources.
A contract can be used to provide the application role including the related resources to other tenants.

Tenant/Organization roles

Organization (= Tenant) roles are used to grant access to resources in an individual way in addition to the predefined application roles.
They can also be used to grant access to dynamic resources (like measurements of a specific machine) in contrast to application roles. Organization roles are individual to a organization (tenant) and not connected to a single application, thus they cannot be part of a contract.

Identifier

The URN for Multitenant Access Control roles is defined as follows:

URI scheme type Namespace identifier Owning Tenant Application Organizational Unit (optional, not supported currently) Role name

urn

macma-tenant-role

tenant’s ID

-

unit name

For uniqueness of similar roles in different units of the same tenant (e.g. "Software Developer FE" and "Software Developer IMB").

sanitized role name

urn

macma-application-role

tenant’s ID

application name

-

sanitized role name

Examples

Type Role Name Role URN (in ACL) Corresponds to

Tenant/Organization Role

esw:operator

urn:macma-tenant-role:898d3d4c-1264-4577-b1e5-b142323b4aad:esw-operator

The operator of the ESW group for the tenant 898d3d4c-1264-4577-b1e5-b142323b4aad

Application Role

admin

urn:macma-application-role:898d3d4c-1264-4577-b1e5-b142323b4aad:sample-application:admin

Administration functionality of the application 'sample-application' in the tenant 898d3d4c-1264-4577-b1e5-b142323b4aad

Contents

© Robert Bosch Manufacturing Solutions GmbH 2023-2024, all rights reserved

Changelog Corporate information Legal notice Data protection notice Third party licenses