Security

The ClearBlade Platform has multiple levels of Accounts with each level having different scopes:

2 types of accounts fall under System Level Accounts:

The user or device can have the following CRUD access capabilities:

  • Code
  • Collections
  • Adapters
  • Portals
  • Roles
  • Users
  • Devices
  • Edges
  • Message

    User Account

Scope: System Level

An account for a person, requiring and using an e-mail account as primary method for identification. A user a system has system level access. The user or device can have the following capabilities:

  • CRUD Access for Code, Collections, Adapters, Portals, Roles, Users, Devices, Edges, Message

User Authentication

The following are required for a User to authenticate:

Key Value Example
Username E-mail of user example@clearblade.com
Password Password SX93f7f+
System Key Unique autogenerated key for your system bd97e7a40bdcc597baf6adfc867e
System Secret Secret value for your IoT System BD97E7A40BC0B587BCAFFFA9A005

Device Account

Scope: System Level

An account for a machine, enabling M2M (Machine-to-machine) communication. In place of an e-mail account, a device has a device name that unique within a given System.

Device Authentication

The following are required for a Device to authenticate:

Key Value Example
Device Name E-mail of user example@clearblade.com
Device Key Single Key, Rotating Key, or Certificate k9IOtxWPEWVOyJ+rt1jvNYDg
System Key Unique autogenerated key for your system bd97e7a40bdcc597baf6adfc867e
System Secret Secret value for your IoT System BD97E7A40BC0B587BCAFFFA9A005

Service Account

A Service Account is a dedicated account with unique token attributes. The token is autogenerated by a developer, and the token has a custom time-to-live, set to infinite by default. This allows an adapter, a program, or an integration to connect with an appropriately token lifecycle. Both User and Device accounts can be configured as service accounts.

Mark the the Service Account? box when adding or editing a user or device to create the service account. The token should appear in the user or device grid.

System Level Authentication

Authentication is built upon an OAuth 2 model. Upon providing user or device credentials, a token is generated for use with subsequent requests.

Protocols

Authentication is available via

System Level Credentials

ClearBlade Platform is multi-tenanted, meaning there are more than one IoT Systems running in a given platform. As a result, all authentication requires:

Key Value Example
System Key Unique autogenerated key for your system bd97e7a40bdcc597baf6adfc867e
System Secret Secret value for your IoT System BD97E7A40BC0B587BCAFFFA9A005

Authentication Override

In order to support integrations with a pre-existing identify management system, Authentication Override allows for custom logic to define whether or not a user should be granted an OAuth token.

System Level Authorization

Role-based authorization is available for all user and device accounts. Permissions are applied to roles, rather than directly to a user or device. Each user and device can have multiple roles.

Roles

A developer assigns permissions to a role for each of the following assets:

  • Code
  • Collections
  • Adapters
  • Portals
  • Roles
  • Users
  • Devices
  • Edges
  • Messages

Each role has CRUD permissions for these assets.

For example, an Administrator role may have CRUD access to a code service called ‘EnablePremiumFeatures’, that is not accessible by an Authenticated user.

A developer can create any number of custom roles.

Note: If there is a problem accessing certain assets or performing functions, make sure the role as permissions

Default Roles

There are three default roles that have special permissions:

Role Behavior
Authenticated All new users and devices are auto-assigned this role
Anonymous All anonymous users are auto-assigned this role
Administrator No one is auto-assigned. Empty role ready to customize

Sessions

There is a log of active sessions to keep track of users and devices. Users are tracked with User ID and devices are tracked with device key. The log also includes a timestamp of when the session token is issued.

Developer Account

Scope: Developer Account

A developer level account has one or more systems on an instance of ClearBlade platform. This account has the following capabilities: - Modify system and its assets - Modify list of developer collaborators who can modify system - Update own password - Create Support Tickets

Now, lets address your curiosity by answering the following:
> How to become a developer
> Authentication for developer

How to become a developer?

A normal developer working on https://platform.clearblade.com can create a free account by signing up, without any registration key. A ClearBlade customer, working on it’s own instance, requires the user to know the Registration Key for that instance in order to signup and create an account.

Authentication for Developer

A user can be authenticated as a developer by

  • Logging into the web console, such as platform.clearblade.com.
  • Using REST API

Admin Account

Scope: Instance Level

A developer account can be granted admin level access, with the following additional capabilities atop Developer Account:

  • Add/Remove developers for a system
  • Update a developers’ password
  • Update Owner of a System
  • Enable/Disable a System
  • Access to a system’s analytics
  • Update the license key of the instance
  • Update Admin Account for an instance

Now, lets address your curiousity by answering the following:
> How to become an Admin?
> Authentication for Admin

How to become an Admin?

A developer working on https://platform.clearblade.com cannot get admin level access. Though, a ClearBlade customer can request support desk for admin level access to their respective instance. Also, if there exists an admin for that instance then the respective admin can grant any developer admin level access.

Authentication for Admin

Authentication is same as Developer Account

FAQ

  • How do I add a developer to a system?

    1. Click on “Info” in the side navigation
    2. Choose “System Settings”
    3. Click the “Access” Tab
    4. Click the “+” icon next to “Developers”
    5. Type in the developers valid email
    6. Click “Update”
  • Can users manage the roles and change passwords of other users?

Yes - in version 8.0.0 and newer. Users with a role configuration which includes User Management Permissions can perform this task.