User Role (Tenant / Group)與UI對應關係

# User Role (Tenant / Group)與UI對應關係 --- ## 1. Tenant User Role Tenant User Role決定了一個User進入Tenant空間後, 能否操作UI上的各項功能使用者可以在User Management -> Tenant Users這個功能內新增或編輯Tenant User以及User的Role ![](https://i.imgur.com/u2H5yLx.png) Edge365內定義了五種預設的Role - Admin - Engineer - Editor - Operator - Viewer 每一種Role都會有對應的Permission Scope配置, 這些Scope包含 | Display Name | Description | | -------- | -------- | | Group, Object, and Parameter | 操作group/object/parameter | | Alarm and Event | 操作Alarm setting | | Profile Management | 操作Profile Management | | Machine Status | 操作Machine Status | | Rule Management | 操作Rule Management | | In-Outbound Settings | 操作Data connectors / Device Management | | Device Management | (會與In-Outbound Settings合併) | | Others (Organizer) | (Edge365現在沒這個功能) | | Others (Data Hub) | (Edge365現在沒這個功能) | | Others (Rule Engine) | (Edge365現在沒這個功能) | | User List | 操作User Management裡的User | | Client List | (Edge365現在沒這個功能) | | Role List | 操作User Management裡的Role | | Command Center Settings | 操作Command Center | | Dashboard & Menu List | 操作Command Center裡的Dashboard & Menu | | License | 操作Advance Settings裡面的License | | Authority Management | ? | | Value and Alarm | Dashboard是否可操作Value & alarm (目前無實際作用) | | Operation Log | Dashboard是否可操作Operation Log (目前無實際作用) | **(RD處理:) UI隱藏 Authority Management, 背後仍存在這個scope, 他的Value = Role List** **(RD處理:) 原本DeviceOn/BI的Device Management scope = In-Outbound Settings, 兩個scope合併** 每一種Role都會對上述的scope, 做"Manage" or "View" or "None"的配置 - Manage : 可增刪改查 - View : 只能查 - None : 沒有權限接下來說明每一種scope對UI上的影響 ### 1.1 Home Page #### WISE-Edge365 ![](https://i.imgur.com/uqEYM7D.png) #### WISE-iFactory ![](https://i.imgur.com/bBQzA4J.png) User的Tenant Role中的Scope將影響下列功能是否能進入: - **Data Management(Edge365) / Object Management (iFactory)** - 有以下 Scope的 Manage / View 的權限 (符合其中一個), 就能進入Data Management / Object Management 功能 - Group, Object, and Parameter - Alarm and Event - Profile Management - Machine Status - Rule Management - In-Outbound Settings - 符合的預設Role包含 - Admin - Engineer - Editor - Viewer - **User Management** - 有以下 Scope的 Manage / View 的權限 (符合其中一個), 就能進入User Management功能 - User List - Client List - Role List - 符合的預設Role包含 - Admin - Editor - Viewer - **Command Center** - 有以下 Scope的 Manage / View 的權限 (符合其中一個), 就能進入Command Center功能 - Command Center Settings - Dashboard & Menu List - 符合的預設Role包含 - Admin - Engineer - Editor - Viewer - **Device Management (Edge365)** - 有以下 Scope的 Manage / View 的權限 (符合其中一個), 就能進入Device Management功能 - In-Outbound Settings - 符合的預設Role包含 - Admin - Engineer - Editor - Viewer - **右上角齒輪Advanced settings** - 有以下 Scope的 Manage / View 的權限 (符合其中一個), 就能進入Advanced settings功能 - License - 符合的預設Role包含 - Admin - Engineer - Editor - Viewer - **右上角Manage my services** - Root Tenant下的第一層tenant才會顯示 - 第一層tenant下的其他sub-tenant不會有這個功能 - 有 **"Admin" role** 的權限的user才能進入 ### 1.2 Data Management(Edge365) / Object Management(iFactory) 在Data Management / Object Management中, 下列功能與Tenant Role的關係如下 | Function | 影響的scope | Admin | Engineer | Editor | Operator | Viewer | | -------- | -------- | -------- | -------- | -------- | -------- | -------- | | group / object / parameters | Group, Object, and Parameter | 無作用 | 無作用 | 無作用 | 無作用 | 無作用 | | Machine status | Machine Status | Manage | Manage| Manage | None | View | | Rule management | Rule management | Manage | Manage| Manage | None | View | | Alarm setting |Alarm and Event | Manage | Manage| Manage | None | View | | Data connectors | In-Outbound Settings | Manage | (RD改Manage) | Manage | None | View | 備註: Tenant role中的 Group, Object, and Parameter scope, 只用來判斷能否進入 Data Management(Edge365) / Object Management(iFactory), 至於能否進入group做操作, 則要看**group user role裡的Group, Object, and Parameter scope**. 下面是Edge365還沒開放的功能 | Function | 影響的scope | Admin | Engineer | Editor | Operator | Viewer | | -------- | -------- | -------- | -------- | -------- | -------- | -------- | | Profile Management | Profile Management | Manage | Manage| Manage | None | View | ### 1.3 User Management 下列功能與Tenant Role的關係如下 | Function | 影響的scope | Admin | Engineer | Editor | Operator | Viewer | | -------- | -------- | -------- | -------- | -------- | -------- | -------- | | Tenant Users | User List | Manage | (RD改None) | (RD改View) | None | (RD改View) | | Roles | Role List | Manage | (RD改None)|(RD改View)| None | View | **Note:** 只允許修改Tenant Role, 不允許修改User的基本資料 **Note2:** Add tenant user時, 強制做第二步下面是Edge365還沒開放的功能 | Function | 影響的scope | Admin | Engineer | Editor | Operator | Viewer | | -------- | -------- | -------- | -------- | -------- | -------- | -------- | | Client Management | Client List | Manage | (RD改None)| (RD改View) | None | View | ### 1.4 Command Center 下列功能與Tenant Role的關係如下 | Function | 影響的scope | Admin | Engineer | Editor | Operator | Viewer | | -------- | -------- | -------- | -------- | -------- | -------- | -------- | | Command center | Command Center Settings | Manage | Manage| Manage | None | View | | 進Dashboard功能 | Dashboard & Menu List | Manage | Manage| Manage | None | (RD改View) | | Menu list | Dashboard & Menu List | Manage | Manage| Manage | None | (RD改View) | ### 1.5 Advanced Setting改View 下列功能與Tenant Role的關係如下 | Function | 影響的scope | Admin | Engineer | Editor | Operator | Viewer | | -------- | -------- | -------- | -------- | -------- | -------- | -------- | | License | License | Manage | View| View | None | View | ### 1.6 Device Management (Edge365) 下列功能與Tenant Role的關係如下 | Function | 影響的scope | Admin | Engineer | Editor | Operator | Viewer | | -------- | -------- | -------- | -------- | -------- | -------- | -------- | | Device Management | In-Outbound Settings | Manage | (RD改Manage) | Manage | None | (RD改View) | ## 2. Group User Role #### Introduction Group User Role決定了一個User能否進入一個group中, 以及操作group內的相關功能. 使用者可以在User Management -> 點選group tree任何一個group 來新增或編輯該group的group user以及group user role. ![](https://i.imgur.com/fAShGPi.png) #### Role & scope Edge365同樣定義了五種預設的Role - Admin - Engineer - Editor - Operator - Viewer Group user role裡面的scope也與Tenant user role相同, 但role裡面只有部分scope是對group有意義的. #### 與Tenant user role的特別關係 - Tenant user role = Admin時, 預設會將該User加入group tree中每一個group, 並給予group user role = Admin - Tenant user role = Admin時, 若有後續新添加的group, 都可以透過UI上的Join to group加入該group ![](https://i.imgur.com/9171VX3.png) ### 2.1 Data Management(Edge365) / Object Management(iFactory) 下列group內的功能, 只會看group user role, 並不受外層的Tenant user role影響. 功能與Group user role的關係如下: | Function | 影響的scope | Admin | Engineer | Editor | Operator | Viewer | | -------- | -------- | -------- | -------- | -------- | -------- | -------- | | group | Group, Object, and Parameter | Manage | Manage| Manage | None | (Rd改View) | | Objects | Group, Object, and Parameter | Manage | Manage| Manage | None | (Rd改View) | | Parameter | Group, Object, and Parameter | Manage | Manage| Manage | None | (Rd改View) | | Event & actions | Alarm and Event | Manage | Manage| Manage | None | View | | Parameter Alarm | Alarm and Event | Manage | Manage| Manage | None | View | ### 2.2 User Management 下列功能與Group user role的關係如下: | Function | 影響的scope | Admin | Engineer | Editor | Operator | Viewer | | -------- | -------- | -------- | -------- | -------- | -------- | -------- | | Group user | User List | Manage | (RD改None) | (RD改View) | None | (RD改View) | **Note:** 因為Tenant user role = Admin的User, 是有權利加入任何一個group的, 所以這種User可以進入任何一個group, 新增自己or其他User並給予group user role. **Note 2:** Tenant user role = Admin以外的其他user, 都是用該user在該group的group user role來決定操作行為 **Note 3:** 只允許修改Group Role, 不允許修改User的基本資料 ### 2.3 Command Center 下列功能與Group user role的關係如下: | Function | 影響的scope | Admin | Engineer | Editor | Operator | Viewer | | -------- | -------- | -------- | -------- | -------- | -------- | -------- | | 操作group的dashboard | Dashboard & Menu List | Manage | Manage| Manage | None | (RD改View) | 備註: Tenant User role控制能否進入dashboard這個功能, 但功能中能否操作group裡面的dashboard, 則要看group user role. ## 3. Root Tenant User Role #### Introduction 預設全站的所有User都會被加入Root Tenant. 其中Root Tenant User Role決定了一個User能否操作Root Tenant的各項功能. #### Root Tenant Admin Root Tenant Admin = 全站點的系統管理者目前能成為Root Tenant Admin的方式有下列幾種: - WISE-PaaS SSO權限 - 目前允許SSO role高於或等於Workspace Owner的User可以免註冊登入, 並且給予Root Tenant Admin權限 - 符合的SSO Role清單如下 - Global Admin - Data Center Admin - Cluster Admin - Cluster Owner - Workspace Owner - 被其他Root Tenant Admin加入 - 如同章節 1.3說明, 由於Admin能進入User Management新增Tenant User, 因此可以新增其他User成為Root Tenant Admin #### Root Tenant內可以使用的功能 - User Management - 右上角齒輪Advanced settings - 右上角Manage my services 下面介紹Role scope與這些功能的關係 ### 3.1 User Management 下列功能與Root Tenant Role的關係如下 | Function | 影響的scope | Admin | Engineer | Editor | Operator | Viewer | | -------- | -------- | -------- | -------- | -------- | -------- | -------- | | Tenant Users | User List | Manage | (RD改None) | (RD改View) | None | (RD改View) | | Roles | Role List | Manage |(RD改None)| (RD改View)| None | View | **Note:** 只有在Root Tenant的User Management中, 才能修改User的基本資料下面是Edge365還沒開放的功能 | Function | 影響的scope | Admin | Engineer | Editor | Operator | Viewer | | -------- | -------- | -------- | -------- | -------- | -------- | -------- | | Client Management | Client List | Manage | (RD改None)| (RD改View) | None | View | ### 3.2 Advanced Setting 下列功能與Root Tenant Role的關係如下 | Function | 影響的scope | Admin | Engineer | Editor | Operator | Viewer | | -------- | -------- | -------- | -------- | -------- | -------- | -------- | | License | License | Manage | View| View | None | View | ### 3.3 Manage my services - 有 Root Tenant **"Admin" role** 的權限的user才能進入 - 其他所有權限看不到 ## 4 Scope總表 ### iFactory Role vs Dataconnect Role --- #### Note: - 原本DeviceOn/BI只定義了下列幾種Scope - Group, Object, and Parameter - Device Management - User List (我們叫User Management) - Dashboard & Menu List - Value and Alarm - Operation Log - 有疑慮的會在上述幾個scope的差異 ### Admin m: Manage, v: View, N: None | Display Name | Dataconnect | iFactory | | -------- | -------- | -------- | | Group, Object, and Parameter | m | m | | Alarm and Event | m | m | | Profile Management | m | m | | Machine Status | m | m | | Rule Management | m | m | | In-Outbound Settings | m | m | | ~~Device Management~~ | ~~m~~ | ~~m~~ | | Others (Organizer) | m | m | | Others (Data Hub) | m | m | | Others (Rule Engine) | m | m | | User List | m | m | | Client List | m | m | | Role List | m | m | | Command Center Settings | m | m | | Dashboard & Menu List | m | m | | License | m | m | | Authority Management | m | m | | Value and Alarm | m | m | | Operation Log | m | m | ### Editor m: Manage, v: View, N: None | Display Name | Dataconnect | iFactory | | -------- | -------- | -------- | | Group, Object, and Parameter | m | m | | Alarm and Event | m | m | | Profile Management | m | m | | Machine Status | m | m | | Rule Management | m | m | | In-Outbound Settings | m | m | | ~~Device Management~~ | ~~m~~ | ~~undefined~~ | | Others (Organizer) | m | m | | Others (Data Hub) | m | m | | Others (Rule Engine) | m | m | | User List | (RD改v) | v | | Client List | (RD改v) | v | | Role List | (RD改v) | v | | Command Center Settings | m | m | | Dashboard & Menu List | m | undefined | | License | v | v | | Authority Management | v | v | | Value and Alarm | m | undefined | | Operation Log | m | undefined | ### Engineer (Dataconnect only) m: Manage, v: View, N: None | Display Name | Dataconnect | iFactory | | -------- | -------- | -------- | | Group, Object, and Parameter | m | undefined | | Alarm and Event | m | undefined | | Profile Management | m | undefined | | Machine Status | m | undefined | | Rule Management | m | undefined | | In-Outbound Settings | (RD改m) | undefined | | ~~Device Management~~| ~~m~~ | ~~undefined~~ | | Others (Organizer) | m | undefined | | Others (Data Hub) | (RD改m) | undefined | | Others (Rule Engine) | m | undefined | | User List | (RD改N) | undefined | | Client List | (RD改N) | undefined | | Role List | (RD改N) | undefined | | Command Center Settings | m | undefined | | Dashboard & Menu List | m | undefined | | License | v | undefined | | Authority Management | v | undefined | | Value and Alarm | m | undefined | | Operation Log | m | undefined | ### Operator m: Manage, v: View, N: None | Display Name | Dataconnect | iFactory | | -------- | -------- | -------- | | Group, Object, and Parameter | N | N | | Alarm and Event | N | N | | Profile Management | N | N | | Machine Status | N | N | | Rule Management | N | N | | In-Outbound Settings | N | N | | ~~Device Management~~ | ~~N~~ | ~~undefined~~ | | Others (Organizer) | N | N | | Others (Data Hub) | N | N | | Others (Rule Engine) | N | N | | User List | N | N | | Client List | N | N | | Role List | N | N | | Command Center Settings | N | N | | Dashboard & Menu List | N | undefined | | License | N | N | | Authority Management | N | N | | Value and Alarm | m | undefined | | Operation Log | m | undefined | ### Viewer m: Manage, v: View, N: None | Display Name | Dataconnect | iFactory | | -------- | -------- | -------- | | Group, Object, and Parameter | (RD改v) | v | | Alarm and Event | v | v | | Profile Management | v | v | | Machine Status | v | v | | Rule Management | v | v | | In-Outbound Settings | v | v | | ~~Device Management~~ | ~~(RD改v)~~ | ~~undefined~~ | | Others (Organizer) | v | v | | Others (Data Hub) | v | v | | Others (Rule Engine) | v | v | | User List | (RD改v) | v | | Client List | v | v | | Role List | v | v | | Command Center Settings | v | v | | Dashboard & Menu List | (RD改v) | undefined | | License | v | v | | Authority Management | v | v | | Value and Alarm | v | undefined | | Operation Log | v | undefined | --- ## 5. Scope / ACLs對應表 --- ### Object Management | Display Name | ACL | scope | | -------- | -------- | -------- | | Group, Object, and Parameter | orgAcls | GMP | | Alarm and Event | reAcls | HighLowEvent | | Profile Management | orgAcls | Profile | | Machine Status | orgAcls | MachineStatus | | Rule Management | orgAcls | MappingRule | | In-Outbound Settings | dhAcls | InOutbound | | ~~Device Management~~ | ~~biAcls~~ | ~~Device~~ | | Others (Organizer) | orgAcls | Others | | Others (Data Hub) | dhAcls | Others | | Others (Rule Engine) | reAcls | Others | - **Note: dhAcls的InOutbound 跟 biAcls的Device合併** ### User Management | Display Name | ACL | scope | | -------- | -------- | -------- | | User List | orgAcls | User | | Client List | orgAcls | Client | | Role List | orgAcls | Role | ### Command Center | Display Name | ACL | scope | | -------- | -------- | -------- | | Command Center Settings | orgAcls | Cmdc | | Dashboard & Menu List | biAcls | Dashboard | ### System Setting | Display Name | ACL | scope | | -------- | -------- | -------- | | License | orgAcls | License | | Authority Management | orgAcls | Permission | ### WISE-PaaS Dashboard | Display Name | ACL | scope | | -------- | -------- | -------- | | Value and Alarm | biAcls | Alarm | | Operation Log | biAcls | Log | --- ###### tags: `Edge365`