Version 2.60 (2020-10-06)
Important notices
Technical documentation available online
All technical documentation for Managed IoT Cloud, including API specifications, Release Notes, and Getting Started Guides, are available online: https://docs.telenorconnexion.com/mic/
Features
Permissions
With this release, we announce the general availability of the Permissions functionality (formerly called Advanced Permissions).
Background
Access to Things in MIC is controlled by a hierarchical domain tree. A user has a home domain, and any access the user has applies to their home domain and all child domains. Access does not flow upward in the tree, nor does it extend to any sibling domains. Until the launch of Permissions, MIC has supported two roles: Read and Read/Write. A user could have only one of them, and it applied to the user’s home domain and any child domains.
Access Control Capabilities
With Permissions, we now introduce further capabilities to control user access.
- Fine-grained access control within domains, e.g. allowing access to things, but not to device management
- Cross-domain access, e.g. letting a user in one part of the domain tree access data in a different part of the domain tree
Roles & Privileges
Privileges are given to users through Roles. Before Permissions, these roles were limited to Read
and Read/Write
(now called System Roles), and they applied to the user’s domain (now called home domain). These two System Roles still exist, but Permissions introduces the ability to create additional roles that can be configured by customers. A user can have many different roles, and the privileges of these roles are applied in an additive method. For example, a user with the ReadWrite role in domain A can be given an additional Role that grants privileges in domain B (domain B being a sibling to A).
Each Role has one or more Privileges. The Privileges define what the Role allows a user to do. A Privilege applies to an object type, e.g. “Users”, “Thing Pub/Sub”, or “Observations" (historic Thing data). A Privilege can apply to either the user’s home domain or to any other specified domain.
Scope of first launch
The first launch includes both the fine-grained access and the cross-domain access capabilities facilitated through Privileges. The focus of the release is enabling the new capabilities while ensuring that all pre-Permissions capabilities continue to work seamlessly. All customers can start using the new capabilities introduced, but it shall be noted that some limitations are present (see below).
App Board is intended as a management console for Permissions and user access control. In addition, all capabilities are available through the API, provided with online documentation and a guide. App Board and existing customer applications using the MIC API will work as normal without any need to be updated. To benefit from the new Permissions capabilities, updates are typically needed.
Limitations
Permissions have some important restrictions and limitations
- It is not possible to remove the System Role from a user. All users must have one System Role on their home domain.
- A role can only have one privilege of each object type. If a user needs Privileges to the same object type (e.g. Things) in more than one domain, multiple roles will need to be used, each containing one Privilege of the desired object type.
- If a domain that is used in a ThingPubSub privilege is moved or the domain ID is changed, the privilege will be broken and will have to be removed and recreated.
- The ThingPubSub privilege relies on a policy document to work. The policy document has a strict size limitation. If a created or updated privilege results in a policy document that exceeds the size limit, the action will throw a POLICY_DOCUMENT_LIMIT_EXCEEDED error. You then have to adjust one of the following three factors to achieve a successful result:
- The length of the domain ID specified in the privilege
- The depth of each domain in the domain tree
- A user can only have 7 roles with a ThingPubSub privilege.
Further details on limitations is available in the online documentation.
Please note
- There are some changes to the APIs formerly released under BETA status, meaning that you will need to revise your code if you have started to experiment with the Permissions API under BETA status.
- On App Board Users page, we have removed the Role column. You can find all roles of the user in the user details modal. The system role is present under “Role” and other roles under “Additional roles”.
Documentation on Permissions
- Guide to Permissions
- User Guide MIC App Board
- Presentation “Introduction to Permissions” (available on request as a pdf document)
Further Permissions capabilities will be added
Permissions will be extended with more capabilities over time, both by tackling known limitations and adding new capabilities. Please get in touch should you miss any specific capability.
Minor improvements and corrections
Minor enhancements and bug fixes are delivered by the new release, including:
- Fixed issues preventing Networked Things from being created when the MIC instance was using the IoT Gateway.