Policies, Roles, and Permissions¶
A policy is a collection of permissions to the resources in EnOS (such as services, functions, and data). You can assign the access policies to a user, a user group, or an application to manage their access to the resources in EnOS. A policy takes effect only when assigned to a user, user group, or application. You can assign different policies to a user or a user group based on the granularity of authorization supported by EnOS.
- EnOS services and tools: support menu-level authorization.
- Assets and data: support access to all assets within an OU.
The access policies in IAM are classified into two types: built-in policies and custom policies.
Built-in Policies¶
Built-in policies, which cannot be edited or deleted, refer to a collection of the access policies that are pre-defined for typical user roles in the EnOS. For example, any user that is assigned with the “Model Administrator” role owns the write and read permissions to create, delete, edit, import, export, view, and instantiate the models under the OU.
The following built-in policies are available in EnOS.
| Role | Permissions |
|---|---|
| Administrator | Owns the permissions to access and manage all the resources in the OU. |
| EAP Project Staff | Owns the read, write, and delete permissions for private model hub, including model deploy and monitor, and read and write permissions for public model hub and model version in MI Hub. |
| EAP Customer | Owns the read permission for both private and public model hubs in MI Hub, including model version, deploy, and monitor. |
| EAP Admin | Owns the read, write, and delete permissions for private and public model hubs in MI Hub, including model version, deploy, and monitor. |
| EAP Developer | Owns the read, write, and delete permissions for private model hub, including model version, deploy, and monitor, and read and write permissions for public model hub in MI Hub. |
| Resource Manager | Owns the permissions to allocate and manage computing and storage resources in the OU. |
| Asset Tree Administrator | Owns the write and read permissions to create, delete, edit, and view the asset trees in the OU. Users include system admins, asset admins, and asset implementation personnel. |
| Model Administrator | Owns the write and read permissions to create, delete, edit, import, export, view, and instantiate the models in the OU. Users include system admins, industry experts responsible for model management, O&M personnel responsible for model deployment, etc. |
| Device Management Administrator | Owns the read and write permissions to create, delete, edit, and view device access configurations under the OU. Users include system administrators, asset administrators, asset implementation personnel, etc. |
| Security Auditor | Owns the permissions to view all the security settings and audit logs in the OU. |
Custom Policies¶
Custom policies refer to the access polices customized as per the needs of users and service accounts for accessing EnOS services. For example, a user that only needs to query the models may be assigned with the “read-only” permission for “Model Management Services”.
EnOS now supports the custom access permissions to the following services.
| Service Name | Resources | Permission |
|---|---|---|
| Asset | Access configurations |
|
| Asset Tree Management | Asset trees in the EnOS Management Console |
|
| Model Management | Models |
|
| Device Management | Access configurations |
|
| Resource Management | Resource management in the EnOS Management Console | Full Access: Allocate and manage all permissions for computing resources and storage resources in the OU. |
| AI Asset Management | MI Hub model management in the EnOS Management Console |
|