Managing roles and permissions

This section contains articles explaining how to manage permissions and roles in Cloud Identity Plane (CIP).

About permissions and roles in CIP

Permissions and roles provide access control in systems where CIP is used to provide identity management. Additionally, roles allow you to set up fine-grained access control by applying a specific object constraint (for example, permissions can be limited to a specific device, user, or organization).

Permissions and roles defined in CIP are intended to be consumed by an external system. This system must provide its own logic allowing it to consume permissions and roles defined in CIP.

Prerequisites

You have the system administrator privileges.

Note

This operation is restricted to CIP system administrators and can be performed either in the CIP administrator portal, as shown in this article, or through API calls.

Manage permissions

See the video below and the matching instruction to understand how to manage permissions in CIP.

  1. Select Permissions from the left-hand menu.

    Result

    The PERMISSIONS page opens.

  2. Select Create Permission.

    Result

    The CREATE PERMISSION form opens.

  3. Enter the form data as explained below:

    Field Description
    Name Permission name, reflecting what this permission is intended to grant.
    Metadata - optional Any JSON data associated with this permission to be consumed by the system using CIP as an identity provider.
    Grant Policy (create) - optional Policy which allows the holder to assign this permission
    Grant Policy (delete) - optional Policy which allows the holder to delete this permission
    Grant Policy (list) - optional Policy which allows the holder to list the data of this permission
    Grant Policy (check) - optional Policy which allows the holder to check where this permission is assigned
  4. Select Create Permission at the bottom of the form.

    Result

    The CREATE PERMISSION form closes and your permission is created.

Manage roles

See the video below and the matching instruction to understand how to manage roles in CIP.

  1. Select Roles from the left-hand menu.

    Result

    The ROLES page opens.

  2. Select Create Role.

    Result

    The CREATE ROLE form opens.

  3. Enter the form data as explained below:

    Field Description
    Name Role name, reflecting what this role is intended to grant.
    Metadata Any JSON data associated with this role to be consumed by the system using CIP as an identity provider.
  4. Select Create Role at the bottom of the form.

    Result

    The CREATE ROLE form closes and your role is created. Your role does not have any permissions assigned at the moment - you need to do it separetely.

  5. Select the role from the ROLES page and open the meatballs menu.

    Result

    The following options are available for selection:

    • Add permission
    • Remove permission
    • Delete role
  6. Select Add permission.

    Result

    The ADD PERMISSION form opens.

  7. Fill the ADD PERMISSION form.

    Field Description
    Permission Permission to be added to the role.
    Link permission with an object Select this option to fine-grain the permission. When selected, this permission will be restricted to a particular object identified by its type and UUID (universally unique identifier).
    Object type Any object type existing in the system (device, customer, user).
    Object UUID Used to identify a specific object. For example, if the Object type is device, enter the device UUID here.
  8. Select Add permission.

    Result

    Your permission is added to the role.

Having created permissions and roles, you can now assign them to users. For more information, see Granting and revoking user’s permissions.