Skip to content
Stand with Ukraine flag

Role-Based Access Control

A Role in ThingsBoard PE defines a set of permissions — which resources a user can access and which operations they can perform. Roles are never assigned directly to users; they flow through three building blocks:

ObjectWhat it is
RoleDefines what is allowed: resource type + operations
User GroupDefines who receives the permissions
Group Permission Entity (GPE)The link between a User Group and a Role — ThingsBoard creates it automatically when you assign a role to a user group

Users do not receive permissions directly. Instead:

Depending on the role type:

  • Generic role — applies recursively to all entities within a Tenant or Customer scope.
  • Group role — applies strictly to a specific Entity Group.

Access is denied by default. A user can only do what an explicitly assigned role permits. There are no deny rules — permissions are purely additive. If a user belongs to multiple user groups, all permissions are combined.

Authority defines a user’s position in the system hierarchy and determines the maximum capabilities available to that user.

The platform supports three authority levels:

Authority levelDescription
SYS_ADMINAssigned to System Administrator users
TENANT_ADMINAssigned to users on the Tenant level
CUSTOMER_USERAssigned to users on the Customer level
  • A user’s authority level is determined at creation time based on where in the hierarchy the user is created.
  • This authority level can be changed by changing Customer level on the Tenant’s one and vice versa.
  • You cannot change the authority level for the sysadmin user and neither tenant nor customer user can be elevated to the level of SYS_ADMIN authority.

ThingsBoard PE supports two role types:

Role typeScope modelUse case
GenericRecursive within Tenant/Customer scopeBroad administrative access
GroupSpecific entity group onlySegmented and isolated access

A Generic role defines a set of permissions that applies recursively to all entities within a selected scope: Tenant, Customer, or Sub-customer (including all descendants).

The scope is not a property of the role itself — it is determined by where the role is assigned. The same role assigned to a user group at Tenant level grants tenant-wide access; assigned at Customer level it grants access only within that customer and its sub-customers.

A Generic role is assigned to a user group via a Group Permission Entity (GPE), which records the user group, the role, and the scope level.

Key characteristics

  • Scope depends on the assignment level (Tenant or Customer).
  • Does not require entity groups.
  • Applies to all entities within the defined scope.
  • Supports hierarchical customer structures.
  1. Navigate to Security ⇾ Roles.
  2. Click + Add role.
  3. Fill in the Name — unique role name
  4. Role type — select Generic
  5. Configure Permissions: Resource and Operations
    (At least one permission entry must be specified).
  6. Click Add.

You can find a description of all available resource types in the permissions table.

To apply a Generic role:

  1. Open Users ⇾ Groups (Tenant level)
    or
    Open Customers ⇾ Manage customer users ⇾ Groups (Customer level).
  2. Open group details.
  3. Navigate to Roles tab.
  4. Click Add.
  5. Select:
    • Role type: Generic
    • Choose the created role
  6. Click Add.

The role now applies recursively within the group’s scope.

A Group role defines permissions for a specific user group over a specific entity group.

Unlike Generic roles, which apply recursively within a scope, Group roles restrict access strictly to explicitly selected entity groups.

Assignment is implemented via a Group Permission Entity (GPE) that links:

  • User Group
  • Entity Group
  • Group Role (permissions)

This model enables precise, group-level access control without extending permissions beyond the targeted entities.

Key characteristics

  • Requires an entity group.
  • Applies only to selected entities.
  • Enables strong segmentation and isolation.
  • Suitable for controlled access within the same tenant.

Every entity group list (Devices, Dashboards, Assets, etc.) has a Share icon on each row that opens a one-step sharing dialog — no separate role creation needed for common permission levels:

  1. Navigate to the entity group list (e.g., Dashboards ⇾ Groups).
  2. Click the Share icon on the desired group row.
  3. Select the Customer to share with.
  4. Either enable All users or select a specific user group within that customer.
  5. Select the Permission level:
    • Read — read-only access (no pre-created role required)
    • Write — read and write access (no pre-created role required)
    • Other — select one or more named Group roles you have already created
  6. Click Share.

ThingsBoard creates the GPE automatically. The shared group becomes visible to the selected users with the specified permission level.

ApproachWhen to use
Quick share (Read / Write)Sharing a group in one step with no pre-created role
Quick share (Other)Applying a named Group role via the share dialog
Full role assignment (via Permissions tab)Reusable roles shared across multiple groups or complex multi-group setups
  1. Navigate to Security ⇾ Roles.
  2. Click + Add role.
  3. Fill in the Name — unique role name
  4. Role type — select Group
  5. Under Permissions, specify required operations. (At least one permission entry must be specified).
  6. Click Add.

The Group role is now available for assignment to entity groups.

  1. Navigate to the relevant entity type (e.g., Devices ⇾ Groups).
  2. Open the target entity group details.
  3. Go to the Permissions tab.
  4. Click Add.
  5. Select:
    • The created Group role
    • Owner
    • Target user group
  6. Click Add.

The role now applies only to that entity group.

ThingsBoard automatically creates two user groups with associated Generic roles when a Tenant or Customer is created. These defaults give you a working permission structure out of the box.

User groupAssociated roleDefault permissions
Tenant AdministratorsTenant Administrator (Generic)All resources — All operations
Tenant UsersTenant User (Generic)Profile — All operations; All resources — Read, RPC Call, Read Credentials, Read Attributes, Read Telemetry, Read Calculated Field and Alarm Rules
User groupAssociated roleDefault permissions
Customer AdministratorsCustomer Administrator (Generic)All resources — All operations
Customer UsersCustomer User (Generic)Profile — All operations; All resources — Read, RPC Call, Read Credentials, Read Attributes, Read Telemetry

You can modify these default roles or use them as a starting point when building custom permission structures.


RecipeRole typesWhat it demonstrates
Read-only analystGenericRead-only access to all tenant entities and telemetry
Customer scoped accessGenericRestrict users to their own customer’s data without entity groups
Generic role scopeGenericHow the same role grants different access at Tenant vs. Customer level
Isolated device groupsGroupPer-group device access with no cross-access between user groups
Multi-facility access controlGeneric + GroupSupervisors, facility managers, and end users across multiple buildings

Each permission entry in a role specifies a resource type and one or more operations:

OperationWhat it allows
AllEvery operation available for the resource
CreateCreate new entities of this resource type
ReadView entity details, configuration, and settings
WriteModify entities and their configuration
DeleteDelete entities of this resource type
RPC CallSend RPC commands to devices
Read CredentialsView device credentials, such as access tokens and keys
Write CredentialsCreate or update device credentials
Read AttributesRead client, shared, and server-side attributes
Write AttributesCreate or update attributes
Read TelemetryRead time-series telemetry data
Write TelemetryWrite time-series telemetry data
Claim DevicesClaim an unassigned device under the current tenant or customer
ImpersonateLog in as another user (applies to the User resource)
Change OwnerTransfer an entity’s ownership between the tenant and its customers
Add to GroupAdd entities to an entity group
Remove from GroupRemove entities from an entity group
Share GroupShare an entity group with another customer or user group
Assign to TenantAssign a device to another tenant (applies to the Device resource)
Read Calculated Field and Alarm RulesView calculated fields and alarm rules defined on the entity
Write Calculated Field and Alarm RulesCreate or modify calculated fields and alarm rules on the entity

Permissions are evaluated per resource type — you can grant Read on Device and Write on Dashboard as separate entries within the same role.


The table below lists all available resource types that can be secured using RBAC in ThingsBoard Professional Edition.

Each resource represents a platform entity or system component that supports permission-based access control. Permissions are configured within roles and determine what operations users are allowed to perform on these resources.

Some actions require permission on more than one resource before they succeed — see Cross-resource dependencies below.

ResourceDescription
AIUse configured AI models in platform features, such as the AI rule node.
AI ModelConfigure connections to AI providers and their models.
AllGrants selected operations across all resources within the assigned scope.
API KeyCreate and manage personal access tokens for the REST API.
Also needs User (Write) — each key is stored on a user account.
API Usage StateAccess API usage statistics and telemetry metrics.
AlarmView and manage platform alarms.
Creating an alarm needs Read on its originator entity; setting an assignee needs Read on User.
AssetManage logical IoT entities such as facilities, vehicles, or fields.
Asset GroupManage groups of assets for structured access control.
Asset ProfileConfigure shared settings for multiple assets.
Audit LogView system activity and user action history.
Viewing the log of a specific entity, customer, or user also needs Read on that target.
Blob EntityManage stored binary objects used for reporting and dashboard snapshots.
ConverterManage uplink and downlink data converters in integrations.
CustomerManage customer entities within the tenant hierarchy.
Customer-level white labeling also needs Read on the Customer.
Customer GroupManage logical groupings of customers.
DashboardCreate and manage dashboards and visualizations.
Dashboard GroupManage dashboard collections.
DeviceManage IoT devices, telemetry, attributes, credentials, and RPC interactions.
Device GroupManage groups of devices for structured segmentation.
Device ProfileConfigure shared device behavior and settings.
DomainManage the domains used for OAuth 2.0 logins and mobile apps.
Linking OAuth 2.0 clients also needs Read on each client.
EdgeManage ThingsBoard Edge instances.
Assigning a rule chain, integration, scheduler event, or entity group to an edge needs Edge (Write) plus Read on the assigned resource.
Edge GroupManage groups of Edge instances.
Entity ViewProvide limited exposure of device or asset data to customers.
Entity View GroupManage grouped entity views.
Group PermissionManage RBAC mappings between user groups, roles, and entity groups.
Also needs Read on the Role and Write on the user group (and entity group, for group roles).
IntegrationManage external system integrations.
Mobile AppManage mobile application configurations.
Mobile BundleManage bundles of mobile applications.
Linking OAuth 2.0 clients also needs Read on each client.
NotificationManage platform notifications and delivery channels.
Targeting specific users or groups also needs Read on User (and the target customer, group, or role).
OAuth 2.0 ClientManage OAuth 2.0 client registrations used for login.
OTA PackageManage firmware and software update packages for devices.
ProfileManage personal user profile settings.
QR Code Widget SettingConfigure the mobile QR code shown by the related widget.
Pointing it at a bundle also needs Read on the Mobile Bundle.
QueueManage rule engine processing queues.
Queue StatsView rule engine queue statistics.
ReportGenerate and manage scheduled reports.
Generating a report needs Read on its source dashboard; output is stored as Blob Entities.
Report TemplateManage reusable report configurations.
ResourceManage shared resource library files.
RoleManage RBAC roles and permission definitions.
A role takes effect once assigned through Group Permission.
Rule ChainConfigure data processing and automation logic.
Scheduler EventManage scheduled automation events.
SecretManage stored secrets — credentials and tokens referenced by other configurations.
TaskView and manage long-running background jobs and bulk operations.
TenantManage tenant-level configuration and hierarchy.
UserManage user accounts and access settings.
User GroupManage user groups for RBAC assignments.
Version ControlExport and restore ThingsBoard entities using Git-based version control.
Acting on the entities also needs their own resource permissions (Read to export, Create/Write to import).
White LabelingConfigure platform branding and UI customization.
Customer-level branding needs Read on the Customer; login branding for a domain needs Read on the Domain.
Widget TypeManage individual widget definitions in the UI library.
Widget BundleManage collections of widget types.

A single action often touches more than one resource, so a restricted role usually needs more than the one permission it appears to require.

A few recurring patterns explain most of them:

  • Entity groups — to add or remove entities in a group you need the group permission (Add to Group / Remove from Group) and Read on each entity.
  • Ownership — changing an entity’s owner needs the Change Owner operation on that entity.
  • Referenced entities — when one object points at another, the role also needs Read on what it points to.
  • Group-based access — linking a user group to a role (Group Permission) also needs Read on the Role and Write on the user group.
  • Account-attached objects — objects stored on a user account, such as API keys, also need Write on the User.

The table below lists some example actions where ThingsBoard checks a second permission before it will succeed.

To perform this actionYou also need
Create or manage a user’s API KeyWrite on User
Create or assign an AlarmRead on the alarm’s originator entity; Read on User when setting an assignee
Create a relation between two entitiesWrite on both entities
Create a calculated field or alarm ruleRead on every Customer, Asset, or Device it references
Generate or download a dashboard ReportRead on the source Dashboard
Set a tenant or customer home dashboardRead on that Dashboard
Send a Notification to specific users or groupsRead on User, plus the target Customer, User Group, or Role depending on the recipient type
Create a Notification requestRead on each Notification target it uses
Configure a Domain with OAuth 2.0 ClientsRead on each OAuth 2.0 Client
Configure a Mobile Bundle with OAuth 2.0 ClientsRead on each OAuth 2.0 Client
Configure login white labeling for a DomainRead on the Domain
Configure the QR code widget for a Mobile BundleRead on the Mobile Bundle
Generate an AI device dashboardRead, Read Attributes, and Read Telemetry on the Device, plus Create on Dashboard
Assign a Role to a User Group (Group Permission)Read on the Role and Write on the User Group (and Entity Group, for group roles)
Share an Entity GroupWrite on the Entity Group, Write on the target User Group, and Read on the Role
Add or remove entities in an Entity GroupAdd to Group / Remove from Group on the Entity Group, and Read on each entity
Create a Device, Asset, Entity View, Customer, User, or Edge directly into an Entity GroupRead on that Entity Group
Change an entity’s ownerChange Owner on the entity; assigning it into target groups also needs Add to Group
Assign a Rule Chain, Integration, Scheduler Event, or Entity Group to an EdgeWrite on the Edge and Read on the assigned resource
View an Audit Log for a specific entity, Customer, or UserRead on that entity, Customer, or User
Manage White Labeling at the customer levelRead on the Customer
Configure self-registration with a notification recipientRead on the Notification target
Export or import entities through Version ControlRead (export) or Create / Write (import) on each entity’s own resource