Bright Wolf Blog

How To Manage Data Access Control in Enterprise IoT Applications

Every IoT system collects data, creates insights based on that data, and shares the data and insights with a variety of users and applications. The need to share the data with a variety of users – each with differing sets of privileges – is the driving force behind the requirement for Role Based Access Control (RBAC) capabilities within systems that expose IoT data to end users. Each role in an RBAC system grants a user permission to create, retrieve, update, or archive certain data elements under specific circumstances.

Let’s look at a simplified example of an IoT application for a better understanding of the underlying complexities of implementing RBAC in a connected industrial system.

User Role Types

Example roles that may be assigned to a given user.

  • Site Member
  • Organization Member
  • Organization Administrator
  • Customer Support
  • Replenishment
  • Super Administrator

Role Descriptions

Site Members: assigned to one or more Sites within an Organization. Site Members may view device history, dashboards, and map views for the Sites in which they are assigned the Site Member role.

Organization Members: assigned to an Organization. Organization Members may view device history, dashboards and map views for all Sites within the Organization. Organization Member is a shorthand way to grant access to all Sites, instead of making certain users Site Members at all Sites.

Organization Administrators: have all of the capabilities of Organization Members and additional capabilities. The additional capabilities include: Registering Alert Notifications, Defining new Sites and Locations within those Sites, Defining Device Types and Events, Assigning Devices to a Specific Location and Device Type, Adding Organization Members and Site Members assignments to Users, and Inviting Users to join their Organization.

Customer Support: users are able to view data from all Organizations, but cannot change data in any of the Organizations. Customer Support can view individual device communication logs.

Replenishment: users are able to see the Inventory Pages and view the Remaining Useful Life for devices organized by Organization and Site.

Super Administrators: have Organization Administrator privileges in all Organizations in the system, in addition to the ability to Create new Organizations and view Server logs.

IoT Application Requirements for RBAC

Now that we’ve highlighted examples of different roles and the types of permissions each can have, let’s take a deeper dive into implementing RBAC in your IoT Application. In order to enable the scenarios described above, an IoT system must provide the following primary functions:

  • Role Authoring
  • Role Assignment
  • Access Control Enforcement
  • Permissions Discovery

Role Authoring: The system must enable descriptions of the various data types and create mappings for the Create, Read, Update and Delete (CRUD) operations over that data. (Note: As a reminder, what users think of as Delete in a Bright Wolf SpringBoard system is always really an Archive operation.) This mapping creates a set of potential permissions that are discoverable, assignable and enforceable. Additional permissions may be added at this stage for actions against systems integrated with the IoT application (An example would be the ability to generate and send a test email or SMS notification). These permissions are then grouped into logical groupings based on the types of users that may interact with the IoT application. The logical groupings of permissions are called Roles.

Role Assignment: Role Assignment is the act of stating that a specific, authorized user is granted a specific Role within a specific context, such as an Organization. These assignments are typically stored in a corporate directory like LDAP or communicated via SAML assertions. Our recommended architecture supports a wide range of methods for receiving Role Assignment information.

Access Control Enforcement: Once a User has been Authorized to login, the Role Assignments for that User are retrieved. The Server side of the Application must ensure that the user does not perform any actions requiring permissions that aren’t currently granted to the user.

Permissions Discovery: User interfaces should use a progressive disclosure pattern, where they only show a user sections of an application or website that they are authorized to interact with. This prevents user confusion and frustration. In order to understand what actions are permitted for a given user, a system needs the ability to inquire if the current user is permitted to perform a set of actions. The answer to this question enables the user interface code to decide whether or not to show a specific section of the interface to the user.

RBAC As Infrastructure

“Buy your infrastructure, don’t build it” has become a common refrain in modern computing, especially in the cloud. Bright Wolf provides RBAC as an industrial IoT infrastructure component, supporting all four aspects of an RBAC system and protecting your IoT data. The result is true multi-tenancy for your customers, with centrally enforced data privacy policies along with reduced operating cost and complexity.

In the following deployment example, we can see how much simpler management of data access becomes when data is processed and stored centrally within an IoT system architecture that incorporates access control as a foundational design component.

  • 3 Customer Organizations
  • 4 Total Sites
  • 4 Data Types (service, operation, utilization, other)
  • 4 Example Users with different authorization rights

iot data access control

By providing access control at the data-point level through consistent enterprise policy enforcement rather than as features of each IoT user interface, the responsibility and authority around user management remains a function of Enterprise IT and not an additional risk or burden added to IoT application developers.

Design for Production from the Beginning

In order for industrial IoT systems to produce and protect value through sophisticated access control in production, systems should be architected with a central data management plan in the prototype. If you’re just getting started with an IoT project and have questions, or are facing challenges with your existing system, let us know how we can help.

About Bright Wolf

Bright Wolf helps industrial enterprises increase business value by transforming operations and organizations with digital strategy, technology, solution delivery, and team enablement.

Industrial IoT Newsletter

    Protected by reCAPTCHA, Google Privacy Policy and Terms of Service apply.
    Featured in…

    IoT OneCIO ReviewIoT Agenda IoT Evolution IoT Inc IoT Central IoT for All Industry Today

    Learn how Bright Wolf can help your team

    Bright Wolf IoT Services
    Bright Wolf Services

    Digital strategy, architecture, development, integration, and operations

    IoT Platform Accelerators
    IoT Platform Accelerators

    Connect equipment and generate value in the cloud faster with AWS and Azure solution starters

    IoT Case Studies
    Client Success Stories

    Learn how Bright Wolf clients are optimizing operations & creating business value for customers

    Privacy Settings
    We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
    Consent to display content from Youtube
    Consent to display content from Vimeo
    Google Maps
    Consent to display content from Google
    Consent to display content from Spotify
    Sound Cloud
    Consent to display content from Sound