Ability™ Developer Portal v23.1
Try Sandbox for free
Get a month of free access to ABB Ability™ Platform to learn and experiment!
API Playground
Play with ABB Ability™ Platform APIs (no time limits)

# User Roles

Ability Principal Manager defines three admin roles, each one with different set of permissions and responsibilites. These roles are:

  • Ability Administrator
  • Solution Administrator
  • Tenant Administrator

Additionally, a Tenant User role should be taken into account - this is a role that represents the end user of the solution that is built on top of Ability Platform.

All of the operations that each of the roles can do are explained in the

Admin Portal article.

# Ability Administrator

Ability administrators are ABB personnel that maintain and operate the ABB Ability™ Platform. The Operations Team will be responsible for adding solutions and tenants and assigning the initial Solution Administrator for any solution created. However, for develoment environments, BL employees can be promoted Ability Administrators to facilitate development.

Ability Administrator Tasks

Upon login, the dashboard of Ability Administrator looks as follows:

Dashboard

# Solution Administrator

It is intended that only ABB BL Employees can be designated as Solution Administrators. Solution Administrators can add additional solution administrators and configure tenant users and permissions. The BL is typically the owner of a solution and they have the responsiblity to configure the environment for their tenants. The primary purpose is to define the application, roles, grants and associated permissions.

Solution Administrator Tasks

Solution Ability Administrator Tasks

# Devices

Solution administrators are responsible to manage the devices that connect to the Ability Platform. Device management includes the on-boarding of the devices, associating a device with a solution and a tenant, and managing the grants for the device (either directly or via a group membership).

Devices are always on-boarded under a solution. A default "Device Grant" is created at the time of creating the solution. This grant refers to a default "Device Role" which is also created at the time of creation of the solution and contains permissions that allow the devices to work with the Ability Platform.

When a contract is created between a solution and a tenant, a "Device Group" is created and the "Device Grant" of the solution is assigned to this device group. When a device is associated with the combination of the solution and the tenant, the device is automatically added to this device group. This means, the device automatically gets the solution device grant via the membership of the device group.

A Solution Administrator can also assign individual grants to the devices. This capability can be useful when additional capabilities must be enabled on a per device basis.

NOTE

A device can be on-boarded without associating the device with a tenant. The association to a tenant can be made later for those tenants that have a contract with the solution.

# Edit a Device

At a later point in time when the tenancy of the device is known, the tenant can be associated to it.

NOTE

Assigning a tenancy to a device automatically puts the device under the tenant's device group membership. Hence, the device grant associated with the device group would be applicable for the device once the tenant association is made.

# Grant Assignment

A solution administrator can further assign a grant to the device by selecting the "Edit" icon for the device and assigning a grant from the "Grants" Tab.

# Remove a Device

A solution administrator can also remove a device from the solution. Selecting the delete button on a device performs the following:

  • Removes the device from the solution and tenant.
  • Removes the device from the "Device Group".
  • De-register the device in the connectivity provider (IoT Hub).

# Tenant Administrator

Tenant Administrators represent an end customer employee that can assign applications specific roles defined by the Solution Administrator and grants to the users (members of some tenant) as needed.

Tenant Administrator Tasks

# Configure Group Mapping

Group Mapping allows for mapping an Azure Actie Directory (AAD) Group (that exists in a customer's AAD) to an Ability defined group. This means users belonging to the AAD group (in the customer organization) automatically receive the same grants when associated with the Ability group via the mapping. This makes the user on-boarding simple as it would be required to only map the corresponding group to a group in the Ability Platform and assign grants at the group level.

# Tenant User

Tenant Users are the customers who get access to some Ability-based solution. They are the actual consumers of that solution, and they can access various functionalities of the Platform with appropriate permissions. The Tenant Administrator can assign grants and roles as needed to Tenant Users.

Last updated: 9/6/2021, 1:25:50 PM

Grants and Rules

Feedback