Control Generic Role Scope: Tenant vs. Customer Level

The same Generic role grants different access depending on where it is assigned. Assigned at Tenant level it covers all entities in the tenant tree; assigned at Customer level it covers only that customer and its sub-customers.

Prerequisites: Basic familiarity with Roles and RBAC.

Users

• Bob — member of Tenant Admins group (Tenant level)
• Alice — member of Customer Admins group (Customer B level)

Devices

• Device A1 — owned by Tenant A
• Device B1 — owned by Customer B

Objective

• Bob: full access to all entities within Tenant A, including all customers and sub-customers.
• Alice: full access only within Customer B and its sub-customers.

Create one role used by both assignments:

1. Navigate to Security ⇾ Roles.
2. Click + Add role.
3. Name: Full Access — Role type: Generic.
4. Add one permission entry: Resource All, Operations All.
5. Click Add.

1. Navigate to Users ⇾ Groups.
2. Open Tenant Admins group details ⇾ Roles tab.
3. Click Add — select Role type Generic, Role Full Access.
4. Click Add.

Bob can now perform any operation on all entities in Tenant A, including entities under all customers and sub-customers.

1. Navigate to Customers ⇾ click Manage customer users for Customer B.
2. Open the Groups tab ⇾ open Customer Admins details ⇾ Roles tab.
3. Click Add — select Role type Generic, Role Full Access.
4. Click Add.

Alice can now perform any operation on entities that belong to Customer B and its sub-customers only.

• Bob sees Device A1 and Device B1.
• Alice sees Device B1 only.
• Both have the same role — scope is determined by assignment level, not role definition.