Internet of Things Integration Platform
Remote Monitoring, M2M and Device Management Software Platform
AggreGate Platform

Secure Multi-Tenant and Multi-User Environment

Large AggreGate installations are operated by many people, including system administrators, operators, analysts digging through data and preparing reports, company executives, etc. In such a complex environment it's extremely important to ensure security and restrict access to important data.

AggreGate Server may have an unlimited number of user accounts. System resources are usually owned by the user who creates them. User permissions are configured by editing a permissions table defining the user's access level to each of system resources. This lets administrators implement complex security schemes which actually reflect the user's role in the organization. Some examples:

  • Allowing one users to access/view/modify devices and resources (alerts, reports...) that belong to another user, i.e. resource sharing.
  • Allowing one user (team leader) to modify permissions of some other users (team members).
  • Restricting the user's access to his own devices and resources, e.g. enabling read-only access to devices or reports.
  • Temporarily suspending the user's account by revoking all permissions.

Every record of permissions table may define user's access level for one resource, a group of resources or even a subtree of dependent resources.

Configurable user permissions also make operators' life simpler by allowing them to view only resources that are relevant to their job. For example, the following permission schema is often used for Time and Attendance control system:

  • System administrator has full permissions.
  • Company executives have access to reports.
  • HR staff may view/configure employee profiles and custom shifts.
  • Security personnel are allowed to view real-time entry/exit events and event history.
  • IT engineers may edit report templates, create new reports, browse event history and modify employee database.

Every user account has a set of preferences, such as time zone, date/time format and preferred language.

Normal and Role-based Users

A user account can either match a single physical person (e.g. John Doe or Mary Shelley) or a certain role of system operators (e.g. "Log-Angeles Zone Operator", "Report Designer" or "Network Engineer"). Physical person accounts can either have own permission tables or inherit permissions from role-based accounts.

External User Authentication via Active Directory or LDAP

Large AggreGate installations are operated by hundreds of individuals, each of them inheriting one of many roles. Creating and maintaining individual user accounts for them all is too laborious. However, it's possible to authenticate users through an LDAP server (such as Microsoft Active Directory), while authorization (assigning of user permissions) will use role-based AggreGate Server user accounts.

User Self-Registration

User self-registration is very helpful during the first stages of system deployment. System users may create their own accounts and provide some personal information (name, e-mail, company/department, phone no., etc). Once registered, they get their own login/password pair.

Self-registration can save lots of time for an administrator during initial deployment. When the system installation is over and production use starts, self-registration should be disabled for the sake of security.