Skip to main content

Identity and Access Management (IAM)

This page explains how to control access to devices using Identity and Access Management (IAM). Access privileges can be assigned at the subscription level and cannot be managed at the individual device or registry level. Typically, access is granted to individuals or groups of users. For information on device security, which uses public/private key authentication, please refer to the section on device security.

For instance, if you assign a user the role of a provisioner in an IAM policy for a subscription, that user will have the ability to add or remove devices, but will not be able to modify or delete the registry itself.

Managing Users

You can manage the users in your current OmniCore subscription by navigating to the IAM > Users section. Users can be added using their email address, which must belong to the tenant domain. For example, if your organization domain is @example.com, only users with the same domain can be added. There is an exception for adding Partner staff, which will be described in the Partner section below.

Roles

A role is a collection of permissions. For example, the role of "roles/viewer" includes the permissions "registries.get," "registries.list," "devices.get," and "devices.list." Roles are assigned to users to grant them the ability to perform actions on the registries within your subscription.

image info

The following table lists the OmniCore IAM roles, including the permissions associated with each role:

RoleDescriptionPermissions
ViewerRead-only access to all OmniCore resourcesomnicore.registries.get
omnicore.registries.list
omnicore.devices.get
omnicore.devices.list
omnicore.sinks.list
omnicore.apikeys.list
omnicore.metrics.get
omnicore.subscription.get
DeviceControllerAccess to update the configuration of devices, but not to create or delete devicesAll of the above and:
omnicore.devices.updateConfig
omnicore.devices.sendCommand
ProvisionerAccess to create and delete devices from registries, but not to modify the registriesAll of the above, and:
omnicore.devices.create
omnicore.devices.delete
omnicore.devices.update
omnicore.devices.bindGateway
omnicore.devices.unbindGateway
EditorRead-write access to all Cloud IoT resourcesAll of the above, and:
omnicore.registries.create
omnicore.registries.delete
omnicore.registries.update
omnicore.audits.list
AdminRead-write access to all User and Identity Provider resourcesAll of the above and:
omnicore.users.list
omnicore.users.create
omnicore.users.delete
omnicore.users.update
omnicore.users.get
omnicore.roles.list
omnicore.roles.get
omnicore.providers.list
omnicore.sinks.create
omnicore.sinks.delete
omnicore.sinks.get
omnicore.apikeys.create
omnicore.apikeys.delete
omnicore.apikeys.getKey
omnicore.partners.list
omnicore.partners.create
omnicore.partners.delete
omnicore.migration.listBatches
omnicore.migration.getKey
omnicore.migration.createKey
omnicore.migration.startMigration
omnicore.migration.getBatch
omnicore.migration.resolveConflict
omnicore.subscription.audits
TenantAdminFull control of Tenant. Access to all subscriptions under the tenantAll of the above and:
omnicore.tenant.update
omnicore.tenant.audits
omnicore.users.resetPassword
omnicore.users.disableUser
omnicore.users.createTenantAdmin
omnicore.users.updateTenantAdmin
omnicore.users.deleteTenantAdmin
omnicore.providers.create
omnicore.providers.delete
omnicore.providers.update
omnicore.providers.get
APIReaderRead-only access to Devices and Registriesomnicore.registries.get
omnicore.registries.list
omnicore.devices.get
omnicore.devices.list
APIControllerAccess to update the configuration of devices, but not to create or delete devicesomnicore.registries.get
omnicore.registries.list
omnicore.devices.get
omnicore.devices.list 
omnicore.devices.updateConfig
omnicore.devices.sendCommand
APIAdminBackend Application invoking OmniCore through APIomnicore.registries.get
omnicore.registries.list
omnicore.devices.get
omnicore.devices.list 
omnicore.devices.updateConfig
omnicore.devices.sendCommand
omnicore.devices.create
omnicore.devices.delete
omnicore.devices.update
omnicore.devices.bindGateway
omnicore.devices.unbindGateway
omnicore.registries.create
omnicore.registries.delete
omnicore.registries.update
omnicore.sinks.list
omnicore.sinks.get
omnicore.sinks.create
omnicore.sinks.delete
omnicore.metrics.get


Identity Management

OmniCore uses GCP Identity Platform for User Management. The default Identity provider in OmniCore is Email/Password. But you can enable SSO with your organization Identify platform by using the SAML sign in Provider. To configure the SAML provider

  • Go to the console.
  • Choose IAM and under provider click the Add a Provider button.
  • From the dropdown, select the SAML option.
  • Enter the following details:
    1. The Name of the provider. This can be the same as the provider ID, or a custom name. If you enter a custom name, click Edit next to Provider ID to specify the ID (which must begin with saml.).
    2. The provider's Entity ID.
    3. The provider's SAML SSO URL.
    4. The certificate used for token-signing on the provider. Make sure to include the start and end strings. For example:

      Certificate start and end strings
      -----BEGIN CERTIFICATE-----
      MIICajCCAdOgAwIBAgIBADANBgkqhkiG9w0BAQ0FADBSMQswCQYDVQQGEwJ1czEL
      ...
      LEzc1JwEGQQVDYQCwsQMSBDAF0QAB0w9GikhqkgBNADABIgABIwAgOdACCjaCIIM
      -----END CERTIFICATE-----
  • Under Service provider, enter the Entity ID of your app. This is typically your app's URL. On your SAML identity provider, this is referred to as the audience.
  • Add your app to the list of Authorized Domains. For example, if your app's sign-in URL is https://example.com/login, add example.com.
  • Click Save.

Partner

f you have an OmniCore Partner serving as your System Integrator, you can grant access to your OmniCore subscription for their staff. To do this, you first need to add the Partner to your subscription, which can be done in the IAM section. Simply click on the "Add Partner" option, and enter the partner code provided by your partner. After adding the Partner, you can grant access to their employees for the current OmniCore Subscription.

note

The partner association to your subscription will depend on the chosen Deployment Option.