Permissions¶
In the DataPortal, you can assign each user individually a Permission Set.
A Permission Set is a group of entitlements consisting of levels and subjects that can be organized by user roles. User roles combine specific Permission Sets to represent a functional role within your organization. Permission Sets are assigned during user account creation. For details, see User Management.
The following documentation gives you an overview of:
- the subjects including the entitlements for each level
- the assignment of user roles
Levels¶
The level defines which actions the user can perform for a given subject.
Beginning with level View, each successive level contains the capability provided for in the previous level.
| Level | Description |
|---|---|
| None | The user can sign in to the DataPortal but has no subject visibility. |
| View | The user can consume the subject data but cannot remove or change the configuration. The account is limited to read access. |
| Maintain | The user can perform management operations (i.e. set password, change name) on a pre-set configuration for the subject |
| The user however usually cannot perform create/delete operations. | |
| Admin | Full operation capability including create/delete for a given subject in all visible organizations. The account is able to perform CRUD (create, read, update and delete) operations for users and subjects for all visible organizations for the subject. |
Note
Keep in mind that Permission Set Levels are applied across all child organization units.
Subjects¶
The Permission subject defines the DataPortal entity or object that the level applies to. The principle DataPortal subject, descriptions and permissions levels are described in this section.
The following subjects are available for assigning permission levels to users:
Subject Descriptions¶
The following tables list the available subjects along with their descriptions for each permission level.
Assignment Subject¶
The Assignment Permission Set is allows users to edit and maintain Assignments.
| Level | Description |
|---|---|
| View | Allows access to assignments. |
| Maintain | Allows updating the: |
| - assignment title | |
| - assignment description | |
| - assignment time range | |
| - assignment external key | |
| - assignment status | |
| - assignment machines | |
| Admin | Allows creating a new assignment. |
| Allows deleting a new assignment. |
Note
Assignments access is limited to exact organization unit match.
Contract Subject¶
The Contract Permission Set allows users to edit and manage the contracts of the machines' CU.
| Level | Description |
|---|---|
| View | View contract data for the machine with the basic attributes: |
| - contract identifier | |
| - order number | |
| - state | |
| - end date | |
| Submit a contract renewal request. | |
| Maintain | View the contract attributes: |
| - tariff description | |
| - activation date | |
| - start date | |
| - next billing date | |
| - tariff begin date | |
| - tariff end date | |
| Perform Go Live requests on provisioned machines. | |
| Admin |
Dashboard Subject¶
The Dashboard Permission Set allows users to edit and manage organization and model dashboards for their organization(s).
Note
This permission can be only granted to users within tenant organization and of Organization Type "OEM".
| Level | Description |
|---|---|
| None | The user is not allowed to edit or create dashboards. |
| Admin | Allows to edit and manage dashboards. |
Note
Assignment of additional dashboards to lower level organizations will break the chain of inheritance. Please refer to chapter Dashboard.
Location Subject¶
The Location Permission Set governs user access to location data for all events, tracking, reports, maps and notifications. Location access is set to none by default and must be configured by an administrator.
| Level | Description |
|---|---|
| None | The user is not allowed to see any location data. |
| Latest location | The user location data view is restricted to the current location. |
| Location history | The user can view the latest location and location history. |
Maintenance Task Subject¶
The "Task" subject is referred to as the Maintenance Task Subject within this manual.
The Maintain permission level for this subject is typically granted to the Dealer user role
Tasks can be seen if the user can access the machine.
| Level | Description |
|---|---|
| View | - Enables users to see the scheduled Maintenance Tasks. |
| - Users with solely machine view permission can also see them. | |
| - The status Upcoming, Overdue, Completed and Skipped can be viewed, but not edited. | |
| - Checklist item updates can be viewed only when the maintenance task has been completed, but not in the History | |
| They will appear as "Pending" until the task is completed, then will show as the actual state. | |
| - Print Maintenance Tasks. | |
| - View the feature Acknowledge Maintenance Tasks | |
| Maintain | Can change the status of a maintenance tasks for a machine |
| Can update the activities checkboxes and the completion note | |
| Can view the History of the assigned maintenance task. | |
| Admin | Can assign a maintenance task to another user |
| Can view the History of all maintenance tasks | |
| View the signature for Acknowledge Maintenance Tasks |
Operational Subject¶
The Operational:View Permission Set allows read-only access to Product Data and selected Related Service Data via the Proemion REST API. It was introduced to support compliance with the EU Data Act (Regulation (EU) 2023/2854) and is only used for the creation of REST API Clients to facilitate data access. The Operational:View Permission Set can replace the previous Permission Set for relevant endpoints, enabling secure access to the required data.
For example, if an endpoint previously required Machine:Admin Permission Set for reading Related Service Data, it can now be accessed with either the Machine:Admin or the Operational:View Permission Set.
| Level | Description |
|---|---|
| View | Allows API clients to retrieve readily available Product Data and selected Related Service Data. This level does not allow modification of machines, configurations, actions, or services and does not provide access to Derived Information. |
Organization Subject¶
The Organization Permission Set allows users to edit and manage users and machines of the organization (unit).
| Level | Context | Description |
|---|---|---|
| View | - | User can view organization units. |
| Maintain | Org Unit | View: - OEM external key (filter and sort) |
| Move: - machines to a different organization unit - users to a different organization unit |
||
| Update: - organization unit parent based on the candidate list - organization unit type - organization unit Name - user Permission Sets |
||
| Retrieve a list of: - organization unit parent candidates - user Permission Sets |
||
| Create an organization unit. | ||
| Delete an organization unit. | ||
| Share machines to a different organization unit. See Machine Share Definitions |
||
| User | Retrieve a list of all users or a single user's details. | |
| Update: - user details - user email |
||
| Create new user. | ||
| Change a user's ban status. | ||
| Resend and invitation email to an inactive user. | ||
| View the last login and the email address of users. | ||
| Details | Allows access to the data analytics instances of your organization unit. | |
| Admin | Org Unit | Create and change the OEM external key (only as admin of the parent organization) |
| User | Create new user. | |
| Assign user roles. | ||
| Change a user's ban status. | ||
| Resend and invitation email to an inactive user. | ||
| View the last login and the email address of users. | ||
| Dashboard | Create Edit and Delete sets of metrics used in efficiency definitions. |
Realtime Subject¶
The Realtime Permission Set controls access to real-time related functionality, pages, and device behavior and allows users to change settings for the CANlink® mobile 3600.
| Level | Description |
|---|---|
| View | Grants read-only access to protected real-time data. |
| Allows to view real-time events on the Events page. | |
| Allows to view real-time related information on the Diagnostics page. | |
| Grants read-only access to the Remote Machine Tunnel feature. | |
| Admin | Provides full control over real-time functionality, e.g. endpoint management for the Remote Machine Tunnel . |
| Can switch the CANlink® mobile 3600 to Realtime/Logging. |
Report Subject¶
The Report Permission Set is used for Reports.
| Level | Description |
|---|---|
| View | Enables user to view report pages. |
| Maintain | - |
| Admin | - |
Tenant Subject¶
The Tenant Permission Set allows users to edit subjects on the tenant level.
| Level | Description |
|---|---|
| View | - |
| Maintain | - |
| Admin | Can Configure the DataPortal Imprint document. Can upload legal documents (Privacy Policy and EUA) in different languages. |
Theme Subject¶
The Theme Permission Set allows users to edit and manage themes for their organization.
| Level | Description |
|---|---|
| None | The user is not allowed to manage the theme. |
| Admin | Allows to edit and manage themes. |
GeoArea Subject¶
The Geo Area permission allows users to manage Geo Areas.
There is no distinction between the levels. One Permission Set allows to create, modify, delete geographical areas bound to organizations.
AEMP Subject¶
Note
The AEMP Export API is a read-only (unidirectional) interface and thus only the view level is applicable.
The AEMP permission set allows users to access the DataPlatform via the AEMP API interface by using API clients
AEMP permission is by default set to none for new accounts and can be enabled via the DataPortal
For more information about accessing the AEMP interface, read Access AEMP Service.
| Level | Description |
|---|---|
| None | The user is not allowed to use AEMP export/import service. |
| View | Allows access to the DataPlatform via the AEMP API interface. |
Machine Subject¶
The Machine permission set allows users to configure and manage machines.
| Level | Description |
|---|---|
| View | Enables user to view machine data. |
| Allows activating GeoLeash on this machine. | |
| Allows deactivating GeoLeash on this machine. | |
| Allows access to GeoLeash configuration and history for this machine. | |
| Allows configuring Timefence. | |
| Allows changing the: - machine name - GeoLeash length configuration for this machine |
|
| Maintain | Allows assigning a model to a machine. |
| Allows switching CU's communication mode between logging and realtime. | |
| Allows starting a realtime diagnosis session for the current user on this machine. | |
| Allows starting a realtime diagnosis session for the current user. | |
| Admin | Provisioning |
| Enables user to transfer files to and from the machine via browser including viewing history. | |
| Allows: | |
| - modify machine serial number | |
| - modify machine PIN (Product Identification Number) | |
| - modify machine VIN (Vehicle Identification Number) | |
| - view PDCs | |
| - assign a PDC to a machine | |
| - view configurations and bundles | |
| - view current and historical COTA requests of a machine | |
| - create a COTA request for a machine | |
| - view current and historical FOTA requests of a machine | |
| - create a FOTA request for a machine |
Model Subject¶
The Model permission set allows users to configure and manage the machine models.
| Level | Description |
|---|---|
| View | Enables user to view machine model data. |
| Maintain | Allows changing the: |
| - model name |
|
| - model description | |
| - model image file | |
| - model data configuration (PDC) | |
| Allows overriding the data configuration (PDC) assigned to machines at model level by assigning a data configuration to a specific machine. |
|
| Allows the assignment of Asset Types. | |
| Admin | Allows create/update: |
| - a new model | |
| - a threshold for a signal | |
| - a new Asset Types (only as OEM organization unit) | |
| Allows deleting: - a model - a threshold for a signal - an Asset Types (only as OEM organization unit) Allows management of PDC files: - view PDCs - upload - download - assign to a model - assign to a machine Allows management of COTA and FOTA - view configurations and bundles - create configurations and bundles - download configuration files - view current and historical COTA requests of a machine - create a COTA request for a machine - view current and historical FOTA requests of a machine - create a FOTA request for a machine |
Note
Models assigned to the parent organization of a machines org unit are visible to the machine owner.