IAM roles and permissions
Overview of IAM
Identity and Access Management (IAM) allows you to control user access to Salto Nebula API resources at the installation level. For example, you can specify that a user has full control over all aspects of a specific installation (access rights, access points, users, …), or a more granular level of permissions such as only being able to manage other users.
You can grant roles to users by creating an IAM policy, which is a collection of statements that define who has what type of access. A policy is attached to a resource and is used to enforce access control whenever that resource is accessed.
This guide focuses on the IAM permissions available in the Nebula API and the IAM roles that include those permissions.
Note that this document is an overview of IAM in the Nebula API and does not intend to specify each and every permission available. The permissions belonging to each predefined role can change frequently.
Permissions
Permissions allow users to perform specific actions on Nebula API resources.
For example, the nebula.user.create permission allows a user with a management role to create a user, while nebula.user.list would allow the same manager to list a set of users.
You don't directly give permissions to users.
Instead, you grant them predefined roles which have one or more permissions bundled within them.
Predefined roles
A predefined role is a collection of one or more permissions.
For example, the predefined role iam-roles/access-right.admin contains the permissions nebula.access-right.create and nebula.access-right.list, amongst others.
A predefined role can be granted to users, allowing them to perform actions on the resources in your installation.
Predefined roles can be combined to give greater permissions to users as required.
The Nebula API currently has the following predefined roles as described in the following table. The table displays each role alongside the title it maps to in the front end web application at nebula.saltosystems.com. It also includes a broad description of some of the kinds permissions that each role contains.
| Role | Title | Description |
|---|---|---|
iam-roles/owner | Owner | There can only be one owner in an installation. Similar to the admin (system manager) role, but also has permission to transfer ownership of an installation and delete an installation. Has complete access to all Nebula resources. A user with this role can:- Grant and revoke permissions to other users for all Nebula resources - Allocate and delete Nebula resources - Issue get/list/modify operations on Nebula resources |
iam-roles/admin | System manager | Has access to all Nebula resources except installation ownership transfer and delete installation. A user with this role can: - Grant and revoke permissions to other users for all Nebula resources - Allocate and delete Nebula resources - Issue get/list/modify operations on Nebula resources |
iam-roles/user.admin | User manager | A user with this role can: - Get/list/create/delete users in an installation - Grant/revoke access to installations - Assign keys to users - Get/list access rights and the access points included within them |
iam-roles/access-right.admin | Access right manager | A user with this role can: - Get/list/create/delete access rights within in an installation - Add access points to access rights and remove them - Get/list the access points included within them |
iam-roles/device.admin | Device manager | Recommended to grant to installers and maintenance teams. A user with this role can: - Get/list/create/configure/delete devices such as electronic locks, gateways, extenders and controllers in an installation |
iam-roles/unit.admin | Unit manager (can create other unit managers) | A unit manager does not see any of Nebula's access control elements at the installation level. Instead, they manage their own unit, mainly by allowing other users access. A user with this role can: - Create other unit managers - Create and manage regular users who are keyholders with no management permissions |
iam-roles/unit.user-admin | Unit manager (cannot create other unit managers) | A unit manager does not see any of Nebula's access control elements at the installation level. Instead, they manage their own unit, mainly by allowing other users access. A user with this role: - Can manage regular users who are keyholders - Can manage users with management permissions but cannot modify their management permissions - Cannot create users with management permissions |
See also the document on management roles over at the support.saltosystems.com website.
For more information about IAM and its features, see the Google Cloud Identity and Access Management developer's guide.