Kapua Permissions Explained
Kapua has a lot of different permissions for various purposes, all of which can be mixed to get different combinations for different users and purposes - this naturally adds complexity to them but also opens a world of possibilities. This way we can have users that can see and edit Devices but cannot delete them or users that can only see Tags or Roles with "Permissions" tab...
This document was created because adding, editing and using permissions in Kapua can be rather difficult some times, so end users like you will not waste time with searching and debugging which permission(s) is/are needed for certain operation but will rather focus on the primary task itself.
Below there is a description for every service/grid in Kapua and which permissions need to be granted in order to see certain tabs or to enable certain buttons or features. For most of them the process and logic are pretty straightforward but some of them must be "studied" a bit in detail.
Forwardable Permissions
But before we dive into Kapua's permissions we have to mention one important thing that can be more confusing than others - so called Forwardable option in permissions.
Forwardable permission is a link between a parent account and child account; It enables parent account to edit child account's settings, view its Users... In short, this permission can limit certain user to viewing users only in his "scope". The best way to explain this is through an example. Imagine you have account named account0 and in this account you have the following users:
- user0 (permissions: Account:Read, Account:Write, User:Read - forwardable set to False)
- user1 (permissions: Account:Read, Account:Write, User:Read - forwardable set to True)
Create a child account within account0 named account0_1. Now login as user0 and go to Child Accounts view - try to see account0_1's Users - Kapua will return an error. This is because this user does not have Forwardable option on User permission set to true and thus user cannot see Child Account's users. Same thing happens if you navigate to upper right corner where the [username]@[account name] button is, you click Switch to Account..., select account0_1 and then navigate through the GUI - Kapua will start reporting errors that you do not have proper permissions to do this.
Same thing happens with Account:Write permission - if this user tries to change account's parameters, Kapua will return an error saying that user does not have proper permissions, which is again OK, since user's Account:Write permission is not Forwardable. This may be a bit odd for you, but we will talk more about this in a moment.
If you now login as user1, there will not be such problems, since all the permissions are forwardable - as user1 you will be able to see all of the child account's settings and also all of the users and their parameters.
If we now take a deeper dive into this, you can see, that Forwardable permission opens several options - you can close user in his so called scope - so he can only see his account and his users, but if he also has Forwardable permission, he can also see Users in Child Accounts and all of their settings. This is also explained in Child Accounts section of this text.
In this document only specific permissions and permission mix will be described, simple Read/Write/Delete permissions will be skipped if their functionalities are straightforward - but if you still have any questions after reading this document, please post a question/issue on Github or join us on one of community meetings!
Welcome and About
Welcome and About are used to show some basic information about Kapua. These two tabs are enabled by default, so user can always see and use them (even if the user has no permissions). User can also always change its password (upper right corner).
Connections
Connections in Kapua are one of the special items in Main menu grid. Because user cannot add or delete connections (that can only Broker do), user can only edit parameters of certain connection (that is why table bellow does not describe how to enable Add or Delete buttons).
Connections view is also closely related to Users in Kapua - connections can be connected/reserved to/for a certain user only (Reserved User and Allow user Change options) or can be open to all users. Because of this, Connections view has two "User" filter options - Reserved User and Last User which are enabled only if user has User:Read permission - otherwise these filter options are not available.
| Feature | Needed Permissions | Forwardable |
|---|---|---|
| See Connections tab in main menu | Device_connection:Read | No |
| Enabled Edit button | Device_connection:Read | No |
| Enabled Refresh button in Connections | Device_connection:Read Device_connection:Write | No |
| See Reserved User option | Device_connection:Read Device_connection:Write User:Read | No |
| See Allow User Change option | Device_connection:Read Device_connection:Write User:Read | No |
| See Last User filter option | Device_connection:Read Device_connection:Write User:Read | No |
| See Reserved User filter option | Device_connection:Read Device_connection:Write User:Read | No |
Devices
Kapua is a device management software and therefore it is logical that we have Device view. With it, we can monitor the device's condition, status and many other things. If user has Command permissions, we can even send some simple commands to it remotely or reboot it, if necessary. Devices view is the most complex view in Kapua, since it has more than 10 tabs and subtabs all of which need some special permissions for viewing/editing. If user has only Device:Read permission, the Description tab will be enabled and user will be able to see all the info of a certain device (if there are any, since user cannot add devices without Device:Write permission). Export to CSV button and refresh button are also enabled (even if there are no devices in the list).
One of the specialities is in Tags tab - user needs Device:Write permission to be able to add and delete tags and not Device:Delete or Tag:Write/Delete since there permissions are used for deleting devices and editing/deleting tags respectively.
Other buttons/features do no require any special permissions as you can see from the table bellow.
| Feature | Needed Permissions | Forwardable |
|---|---|---|
| See Devices tab in main menu | Device:Read | No |
| Enabled Refresh button | Device:Read | No |
| Enabled Export to CSV button | Device:Read | No |
| Enabled Add button | Device:Read Device:Write | No |
| Enabled Access Group option in Add window | Device:Read Device:Write Group:Read | No |
| Enabled Edit button | Device:Read Device:Write | No |
| Enabled Access Group option in Edit window | Device:Read Device:Write Group:Read | No |
| Enabled Delete button | Device:Read Device:Delete | No |
| Enabled Group option in filter menu | Device:Read Group:Read | No |
| Enabled Tag option in filter menu | Device:Read Tag:Read | No |
| TAG TAB | ||
| Enabled Tag tab | Device:Read Tag:Read | No |
| Enabled Refresh button in Tag tab | Device:Read Tag:Read | No |
| Enabled Apply button in Tag tab | Device:Read Device:Write Tag:Read | No |
| Enabled Remove button in Tag tab | Device:Read Device:Write Tag:Read | No |
| EVENTS TAB | ||
| Enabled Events tab | Device:Read Device_event:Read | No |
| Enabled Refresh button in Events tab | Device:Read Device_event:Read | No |
| Enabled Export to CSV button in "Events" tab | Device:Read Device_event:Read | No |
| PACKAGES TAB | ||
| Enabled Packages tab (Installed and In Progress subtabs) | Device:Read Device_management:Read | No |
| Enabled Refresh button in Packages tab | Device:Read Device_management:Read | No |
| Enabled Install button in Packages tab | Device:Read Device_management:Read Device_management:Write | No |
| Enabled Uninstall button in Packages tab | Device:Read Device_management:Read Device_management:Write | No |
| Enabled History subtab in Packages tab | Device:Read Device_management:Read Device_management-registry:Read | No |
| BUNDLES TAB | ||
| Enabled Bundles tab | Device:Read Device_management:Read | No |
| Enabled Refresh button in Bundles tab | Device:Read Device_management:Read | No |
| Enabled Start button in Bundles tab | Device:Read Device_management:Read Device_management:Execute | No |
| Enabled Stop button in Bundles tab | Device:Read Device_management:Read Device_management:Execute | No |
| CONFIGURATION TAB | ||
| Enabled Configuration tab (Services and Snapshots subtabs) | Device:Read Device_management:Read | No |
| Enabled Refresh button in Configuration tab | Device:Read Device_management:Read | No |
| Enabled Save button in Configuration tab | Device:Read Device_management:Read Device_management:Write | No |
| Enabled Discard button in Configuration tab | Device:Read Device_management:Read Device_management:Write | No |
| Enabled Refresh button in Snapshots subtab | Device:Read Device_management:Read Device_management:Write | No |
| Enabled Download button in Snapshots subtab | Device:Read Device_management:Read Device_management:Write | No |
| Enabled Rollback to button in Snapshots subtab | Device:Read Device_management:Read Device_management:Write | No |
| Enabled Upload And Apply button in Snapshots subtab | Device:Read Device_management:Read Device_management:Write | No |
| COMMAND TAB | ||
| Enabled Command tab | Device:Read Device_management:Read Device_management:Execute | No |
| ASSETS TAB | ||
| Enabled Assets tab | Device:Read Device_management:Read | No |
| Enabled Refresh button in Assets tab | Device:Read Device_management:Read | No |
| Enabled Save button in Assets tab | Device:Read Device_management:Read Device_management:Write | No |
| Enabled Discard button in Assets tab | Device:Read Device_management:Read Device_management:Write | No |
Batch Jobs
Another interesting and generally useful feature in Kapua are Jobs. User can start/stop bundles, write assets or configuration, download and install a package and lots more on remote devices - they can even be scheduled in advance! All in all it is a powerful tool for device management.
Everything you need to start working with Jobs is in bottom table - it is pretty straightforward. If in doubt, do not hesitate to ask us for more clarification.
| Feature | Needed Permissions | Forwardable |
|---|---|---|
| See Batch Jobs tab in main menu | Job:Read | No |
| Enabled Refresh button | Job:Read | No |
| Enabled Add button | Job:Read Job:Write | No |
| Enabled Edit button | Job:Read Job:Write | No |
| Enabled Delete button | Job:Read Job:Delete | No |
| Enabled Start button | Job:Read Job:Execute | No |
| Enabled Stop button | Job:Read Job:Execute | No |
| Enabled Restart button | Job:Read Job:Execute | No |
| TARGETS TAB | ||
| Enabled Targets tab | Job:Read Device:Read | No |
| Enabled Refresh button | Job:Read Device:Read | No |
| Enabled Add button | Job:Read Job:Write Device:Read | No |
| Enabled Delete button | Job:Read Job:Delete Device:Read | No |
| Enabled Start button | Job:Read Job:Execute Device:Read | No |
| STEPS TAB | ||
| Enabled Steps tab | Job:Read | No |
| Enabled Refresh button | Job:Read | No |
| Enabled Add button | Job:Read Job:Write | No |
| Enabled Edit button | Job:Read Job:Write | No |
| Enabled Delete button | Job:Read Job:Delete | No |
| SCHEDULES TAB | ||
| Enabled Refresh button | Job:Read Scheduler:Read | No |
| Enabled Add button | Job:Read Scheduler:Read Scheduler:Write | No |
| Enabled Delete button | Job:Read Scheduler:Read Scheduler:Delete | No |
| EXECUTIONS TAB | ||
| Enabled Refresh button | Job:Read |
Data
Data tab is one of the simplest tabs in Kapua which is used to see the data that is sent from devices. It literally needs only one permission for showing the Data tab and "Device:Read" permission to show two additional tabs ("By Device" and "By Assets"). Because user cannot write (or delete) data in kapua, there is no need (for now) for user to have "Data:Write/Delete" permissions.
| Feature | Needed Permissions | Forwardable |
|---|---|---|
| See Data tab in main menu | Datastore:Read | No |
| Enabled Refresh button | Datastore:Read | No |
| "BY DEVICE" TAB | ||
| Enabled Refresh button | Device:Read Datastore:Read | No |
| "BY ASSET" TAB | ||
| Enabled Refresh button | Device:Read Datastore:Read | No |
Tags
Tags are interesting feature in Kapua, allowing user to tag certain devices with a specific tag for various purposes. This is different than grouping, since user can see all the devices regardless of their tags, but cannot see devices in ceratain groups if he has insufficient permissions (see Group option in permissions). Also device can have multiple tags but can be part of only one group.
Tags can be used to check devices that are in certain area or in certain state or anything similar. This gives end-user additional options over device management. All the permissions are pretty straight forward and do not need any extra explanation.
| Feature | Needed Permissions | Forwardable |
|---|---|---|
| See Tags tab in main menu | Tag:Read | No |
| Enabled Refresh button | Tag:Read | No |
| Enabled Add button | Tag:Read Tag:Write | No |
| Enabled Edit button | Tag:Read Tag:Write | No |
| Enabled Delete button | Tag:Read Tag:Delete | No |
| ASSIGNED DEVICES TAB | ||
| Enabled Assigned Devices tab | Tag:Read Device:Read | No |
| Enabled Refresh button | Tag:Read Device:Read | No |
Users
Users in Kapua are basis for everything - without user you cannot even login! Nevertheless, let's take a closer look on some of the permissions. To see Users tab, end-user needs only User:Read permissions and nothing else. To edit and delete them, User:Write and User:Delete permissions are needed respectively.
For showing Credentials tab, user needs Credentials:Read permission (alongside with User:Read) and for editing/unlocking/deleting them Credentials:Write and Credentials:Delete respectively.
Roles tab is a bit different. For Roles tab to be visible user needs User:Read, Role:Read and Access_info:Read permissions, but for Add and Revoke buttons to be enabled user also needs Access_info:Write/Delete (and not "Role:Write/Delete" "- these are meant for adding, editing and deleting roles).
"Permissions" tab is again a bit different and deserves a bit more explanation then others. If user wants to see Permissions tab, "Access_info:Read", "User:Read" and "Domain:Read" permissions are needed - do not forget on Domain:Read permission! But why? If you look at "Grant Permission" window closely, you will see, that we have "Domain", "Action", "Access Group" and "Forwardable" options - and the first one, "Domain" has its own permission just for enabling this dropdown menu. You can imagine "Domain:Read" permission as "entry point" for all other permissions and this is its only task. It has no other function in Kapua except this. This is also the reason why "Domain:Write" and "Domain:Delete" permissions are not needed - user needs Access_info:Write/Delete to grant and revoke permissions.
Word of caution: Be careful which permissions you grant to users, because if you grant them Access_info:Read/Write in combination with User:Read, they can start granting permissions themselves and therefore do things they are not supposed to.
| Feature | Needed Permissions | Forwardable |
|---|---|---|
| See Users tab in main menu | User:Read | No |
| Enabled Refresh button | User:Read | No |
| Enabled Add button | User:Read User:Write | No |
| Enabled Edit button | User:Read User:Write | No |
| Enabled Delete button | User:Read User:Delete | No |
| See Reserved for Connection option | User:Read Connection:Read Device:Read | No |
| CREDENTIALS TAB | ||
| Enabled Credentials tab | User:Read Credential:Read | No |
| Enabled Refresh button | User:Read Credential:Read | No |
| Enabled Add button | User:Read Credential:Read Credential:Write | No |
| Enabled Edit button | User:Read Credential:Read Credential:Write | No |
| Enabled Delete button | User:Read Credential:Read Credential:Delete | No |
| Enabled Unlock button | User:Read Credential:Read Credential:Write | No |
| ROLES TAB | ||
| Enabled Roles tab | User:Read Role:Read | No |
| Enabled Refresh button | User:Read Role:Read Access_info:Read | No |
| Enabled Assign button | User:Read Role:Read Access_info:Read Access_info:Write | No |
| Enabled Remove button | User:Read Role:Read Access_info:Read Access_info:Delete | No |
| PERMISSIONS TAB | ||
| Enabled Permissions tab | User:Read Access_info:Read Domain:Read | No |
| Enabled Refresh button | User:Read Access_info:Read Domain:Read | No |
| Enabled Grant button | User:Read Access_info:Read Domain:Read Access_info:Write | No |
| Enabled Revoke button | User:Read Access_info:Read Domain:Read Access_info:Delete | No |
Roles
Roles are best to imagine as a "set of permissions"; User can add several permissions to a certain role and name it e.g. "user_roles" and this role can then be assigned to multiple users. End result is that this is much faster than adding every single role to every user - and it is also more elegant.
Roles have no special permission combinations, so user has to have Role:Read/Write/Delete permissions to see, edit and delete permissions and Access_info permissions in combination with Role permissions to see "Permission" tab.
If user wants to see which role is granted to which user, User:Read permission has to be added (see table bellow).
| Feature | Needed Permissions | Forwardable |
|---|---|---|
| See Roles in main menu | Role:Read | No |
| Enabled Refresh button | Role:Read | No |
| Enabled Add button | Role:Read Role:Write | No |
| Enabled Edit button | Role:Read Role:Write | No |
| Enabled Delete button | Role:Read Role:Delete | No |
| PERMISSIONS TAB | ||
| Enabled Permissions tab | Role:Read Access_info:Read Domain:Read | No |
| Enabled Refresh button | Role:Read Access_info:Read Domain:Read | No |
| Enabled Add button | Role:Read Access_info:Read Role:Write Domain:Read | No |
| Enabled Delete button | Role:Read Access_info:Read Role:Delete Domain:Read | No |
| GRANTED USERS TAB | No | |
| Enabled Granted Users tab | Role:Read User:Read | No |
| Enabled Refresh button | Role:Read User:Read | No |
Access Groups
Access Groups have similar purpose in Kapua as Tags but with one important difference - every device can be part only of one group, whereas number of tags is not limited. This adds additional options in Kapua - it may seem obsolete but if there are hundreds of devices, every "sorting" feature like this comes in handy.
There are no special permissions needed for showing Access Groups item in the main menu - user only needs Access_group:Read/Write/Delete permissions and optional Device:Read for viewing "Assigned Devices" tab.
| Feature | Needed Permissions | Forwardable |
|---|---|---|
| See Access Groups in main menu | Group:Read | No |
| Enabled Refresh button | Group:Read | No |
| Enabled Add button | Group:Read Group:Write | No |
| Enabled Edit button | Group:Read Group:Write | No |
| Enabled Delete button | Group:Read Group:Delete | No |
| ASSIGNED DEVICES TAB | ||
| Enabled Assigned Devices tab | Group:Read Device:Read | No |
| Enabled Refresh button | Group:Read Device:Read | No |
Child Accounts
Child Accounts are the basis for "extending" Kapua an its functionalities. Just as "Users" can "expand" Kapua "horizontally" (creating multiple users in one account), accounts can do this "vertically" - every account (if its parameters permit this) can have their own child accounts and so on. This way we get a lot of smaller entities/accounts with users that have specific permissions for performing small number of specific tasks or basically anything else.
Here also so called "Forwardable" permissions comes into play - in "Users" tab to be exact. Account:Read/Write/Delete permissions are pretty straight forward, but if user wants to see and use "User" tab, forwardable permission has to be set to True (e.g. User:Read:ALL:YES), otherwise Kapua will return an error that user needs additional permissions.
"Forwardable" permission is also important if user wants to see and edit Services in Child Accounts -> Account Settings. If "Forwardable" is not set to True, user will not be able to set these parameters for child accounts (but will be able to see them in main menu on the left).
| Feature | Needed Permissions | Forwardable |
|---|---|---|
| See Child Accounts in main menu | Account:Read | No |
| Enabled Refresh button | Account:Read | No |
| Enabled Add button | Account:Read Account:Write | No |
| Enabled Edit button | Account:Read Account:Write | No |
| Enabled Delete button | Account:Read Account:Delete | No |
| USERS TAB | ||
| Enabled Refresh button | Account:Read User:Read | Yes (User:Read) |
| Enabled Add button | Account:Read User:Read User:Write | Yes (User:Read/Write) |
| Enabled Edit button | Account:Read User:Read User:Write | Yes (User:Read/Write) |
| Enabled Delete button | Account:Read User:Read User:Delete | Yes (User:Read/Write) |
Endpoints
Endpoints are a special feature, that does not behave like a "ordinary" Main menu item (such as Roles, Groups, Users...) - except for kapua-sys user that has full read/write/delete access, other users cannot see this item on the left. Although certain users have Endpoint:Read/Write/Delete permissions, this item will not be visible. Instead the added endpoints will be visible in Settings -> Deployment Info (under the Account Information), if user has Endpoint:Read permission. As in Connections, Endpoint:Write/Delete permissions are not used here.
We should also mention one special feature of Endpoints - if you create new endpoints in a child account, they are not added to old ones, but instead are used as a new "root". Example: If we have three endpoints (e.g. eth1/eth1/123, eth2/eth2/123, eth3/eth3/123) in kapua-sys account and we create one new endpoint in kapua-sys's child account "account0" (e.g. eclipse0/eclipse0/123), the three old ones "disappear from the list and only the last one is visible - all other child accounts created from account0 also see only "eclipse0/eclipse0/123" endpoint, until new ones are created in their scope. If all the endpoints in certain child account are deleted, endpoints from parent account are shown as these are now the new "root" endpoints.
| Feature | Needed Permissions | Forwardable |
|---|---|---|
| See Endpoints in main menu | / | / |
| See Endpoints in Settings | Account:Read Endpoints:Read | No |
Settings
If user has Account permissions, Settings tab is enabled in Main menu, which enables user to see account's settings (so called "infiniteChildItem" and "MaxNumberChildItem" parameters). This is particularly useful if user encounters errors while creating/editing/deleting items; Unfortunately these settings cannot be changed, as this can only parent user/account do.
As stated, Settings view is part of Account permissions - so this item is visible is user has Accoount:Read permission. There are no special features for this view; user needs Account:Write permission (Forwardable can be set to False) if Edit button should be enabled.
| Feature | Needed Permissions | Forwardable |
|---|---|---|
| See Settings in main menu | Account:Read | No |
| Enabled Edit button | Account:Read Account:Write | No |