Application Roles
Customer roles
Applications are managed by customers in ApiOmat. Usually, one customer owns a set of applications with no other customers having access to them. The privilege to access or modify apps are controlled by roles per app for each customer. That is, in the very basic example each customer has the highest role named ADMIN for his own apps. Using a given set of roles, other (existing) customers can be added to a specific app and get access to e.g. writing data or using the SDKs.
Speaking in data structures, the role for an app is stored in a map with the customer and a key
appname _ systemname --> [ set of roles ]
Roles are organized hierarchically, which means that a customer with role WRITE has automatically all other roles with lower priority, like READ. Also, a customer may have more than one role like DEPLOY and WRITE_DATA.
The structure of the available roles is explained in the next paragraph.
Structure of roles
Master Role |
Sub Roles |
|||
ADMIN |
|
|
|
|
GRANT |
DEPLOY |
READ_OPLOG |
|
|
WRITE |
WRITE_DATA |
|
|
|
READ |
DOWNLOAD_SDK |
READ_DATA |
READ_LOGS |
READ_HEALTH |
Master roles have a set of sub roles. If a customer owns a master role, he has automatically all sub roles belonging to the master role (same line). The other way, if a customer has a sub role, this does not necessarily mean that he owns the other sub roles of the master role.
If a customer has a role of a higher master role than the needed one, he is permitted to execute the action.
Example
A customer with a DEPLOY role granted has the following inherited roles: WRITE, WRITE_DATA, READ, DOWNLOAD_SDK, READ_DATA, READ_LOGS and READ_ANALYTICS.
Application role limitations
The following table shows limitations in detail of the possible customer roles.
Application Role |
Description |
Effects (yambas) |
Effects (dashboard) |
ADMIN |
Administrator and creator of an app |
|
|
GRANT |
Customer of an app who can give all roles except ADMIN to that app to further customers |
Can not:
|
|
DEPLOY |
Customer who can read & write on app, and can deploy additionally |
Can not:
|
|
WRITE |
Customer who can read & write data structures and data on app |
Can not:
|
|
WRITE_DATA |
Customer who can only read application structures and write data |
Can not:
|
|
READ |
Customer who can only read application structures and data |
Can not:
|
|
DOWNLOAD_SDK |
Customer who can only download SDKs of app, typically a frontend developer |
Can not:
|
|
READ_DATA |
Customer who can only read the data of an app |
Can not:
|
|
READ_LOGS |
Customer who can only read the logs of an app |
Can not:
|
|
READ_ANALYTICS |
Customer who can only view the Analytics information of an app |
Can not:
|
|
READ_HEALTH |
Customer who can only view the health status of a module |
Can not:
|
|
READ_OPLOG |
Customer or Organization who can only read oplogs. |
Can not:
|
|
-
The yambas returns only usable modules. Usable modules can be configured.
Dashboard 3
Instead of deploying and undeploying your app, you can set your app active/inactive and compile every module separately in Dashboard 3. With that new mechanism the application role DEPLOY was removed and WRITE will contain the features of DEPLOY which are not in WRITE_DATA. Setting the app active or inactive requires the role WRITE. The right to compile modules is completely independent from the application role and depends only of the role for the specific module.