Multi-Facility Access Control

Configure access control for a multi-building IoT solution where supervisors monitor all facilities, facility managers administer their own building, and end users view assigned dashboards only.

Prerequisites: Basic familiarity with Roles and RBAC.

Multiple commercial buildings, each modeled as a Customer, with devices (HVAC, electricity meters, sensors), dashboards, and user groups per building.

User type	Role types	Scope	What they can do
Supervisor	Generic (read-only) + Group (all on dashboard group)	Tenant	Read all entities across all buildings; manage own dashboards
Facility Manager	Default Customer Administrator	Customer (per building)	Full control within their building only
End User	Default Customer User	Customer (per building)	View assigned dashboard in full screen

1. Navigate to Dashboards ⇾ Groups.
2. Click Add entity group.
3. Name: Supervisor Dashboards.
4. Click Add.

1. Navigate to Security ⇾ Roles.
2. Click + Add role.
3. Name: All Entities Read-only — Role type: Generic.
4. Add one permission entry: Resource All, Operations Read, Read Attributes, Read Telemetry.
5. Click Add.

1. Click + Add role.
2. Name: Entity Group Administrator — Role type: Group.
3. Add one permission entry: Operations All.
4. Click Add.

1. Navigate to Users ⇾ Groups.
2. Click Add entity group — Name: Supervisors.
3. Open the group details ⇾ Roles tab.
4. Click Add — assign Generic role All Entities Read-only.
5. Click Add again — assign Group role Entity Group Administrator for: • Owner: Tenant • Type: Dashboard • Entity group: Supervisor Dashboards
6. Click Add.

Result: Supervisors can read all entities across all buildings and manage dashboards in Supervisor Dashboards only.

---

Each building is modeled as a separate Customer. The default Customer Administrators group with all permissions is used — no custom roles needed.

1. Navigate to Customers.
2. Click + Add customer.
3. Title: Building A.
4. Click Add.

1. Click Manage customer users for Building A.
2. Click + Add user.
3. Enter the facility manager’s email.
4. Click Add, then copy the activation link.

The new user is placed in the default Customer Administrators group, which has full permissions within the customer scope.

Result: The facility manager can provision devices, manage dashboards, configure thresholds, and manage users within their building — with no access to other buildings.

---

1. Log in as the Facility Manager.
2. Navigate to Dashboards.
3. Create dashboard End User Dashboard and add the required widgets.
4. Click Save.

1. Navigate to Users ⇾ Customer Users.
2. Click + Add user, enter the end user’s email.
3. Click Add, then open the user details ⇾ Edit.
4. Set Default dashboard to End User Dashboard.
5. Enable Always fullscreen.
6. Apply changes.

Result: The end user sees only the assigned dashboard, which opens in full screen. No access to the admin panel.

---

User	Expected access
Supervisor	Can view telemetry from all buildings; can edit only Supervisor Dashboards; cannot modify devices
Facility Manager (Building A)	Can manage devices and dashboards for Building A; no access to other buildings
End User (Building A)	Sees only the assigned dashboard in full screen; read-only

This configuration combines:

• Generic roles for tenant-wide read-only visibility.
• Group roles for controlled dashboard management.
• Customer hierarchy for strict per-building isolation.
• Default groups (Customer Administrators, Customer Users) where custom roles are unnecessary.