Skip to content

Best practices

General

The following page describe the necessary steps for typical customer scenarios from an Identity and Access Management (IAM) perspective. This description applies to the Industrial Edge Management (IEM) product in its various offerings, unless explicitly limited in the chapter:

  • IEM Pro
  • IEM Virtual
  • IEM Cloud

Prerequisites for the initial steps include a properly set up IEM environment and a user with the following roles:

  • ie-management.Admin
  • realm-management.realm-admin

NOTICE

The initial mandatory user includes both roles.

The described procedures assume the following knowledge:

IAM:

  • Creating groups
  • Adding client-specific roles to groups
  • Adding users to groups
  • Adding identity providers
  • Creating mappers for identity provider

IEM:

  • Creating device groups (“Admin groups”)
  • Adding devices to groups
  • Creating application groups (“User groups”)
  • Adding applications to groups

Scenario 1: Central group for operating IEM and device administration

Overview

A central user group called iem-admins serves as the operator for IEM and device administration.

User of the iem-admins group can e.g:

  • manage users
  • administer IEM system
  • create devices
  • organize devices in groups
  • manage existing devices, like firmware update
graph LR
    subgraph Keycloak
        subgraph groups
            A[iem-admins]
        end
    end

Procedure

To create such a group, follow these steps:

  1. Navigate to “Identity & Access Management”.
  2. Open the “Groups” menu.
  3. Click the “Create group” button.
  4. Choose a name, e.g iem-admins for the group and click “Create”.
  5. Click on the name of the group.
  6. Switch to the “Role mapping” tab.
  7. Click “Assign role”.
  8. Change the filter to “Filter by clients”.

  9. Select the following roles:

    • ie-management.Admin
    • ie-management.DeviceOwner
    • realm-management.realm-admin

  10. Click "Assign"

  11. Switch to the "Members" tab.
  12. Click "Add member".
  13. Select / Deselect desired users
  14. Click "Add"

Scenario 2: Locations / production lines granular device access

Overview

Ensure that you have a properly set up the IEM environment and a user with the following roles:

  • ie-management.Admin
  • ie-management.DeviceOwner
  • realm-management.realm-admin

This scenario includes a central group called iem-admins for iem administration and two production lines.

User of the iem-admins group can e.g.:

  • delegate device administration by organizing devices into production line specific groups

Each production line has a separate group of device administrators. The groups are called line1-device-admins and line2-device-admins.

User of the device administrator groups can do the following actions on the devices in their production line e.g.:

  • update firmware
  • install, configure, update and delete apps
    flowchart LR
        subgraph Keycloak
            subgraph groups
                A[iem-admins]
                B[line1-device-admins]
                C[line2-device-admins]
            end
        end

Procedure

Set up the central IT like Scenario 1

The granular device access for locations / production lines requires the following steps:

IEM

  1. Navigate to “Edge Management” and open "User management" (new UI) / "Groups" (old UI) -> "My Admin Groups" menu

  2. Create an “My Admin Group”:

    • Choose a unique name for the group (to identify the corresponding role in IAM), for example "line1-device-admins".
    • Select the template-role “devices.co-admin”.
    • Click “Ok”.

  3. Add the edge devices of the production line to that group.

IAM

  1. Navigate to “Identity & Access Management”.
  2. Create a group for each production line, for example "line1-device-admins"

  3. Assign the following roles to each group:

    • ie-management.User
    • ie-management.iem.[iem-group-name].[group-id] (e.g. ie-management.iem.line1-device-admins.[group-id])

  4. Add or remove users from these groups as needed.

NOTICE

The [group-id] will be generated by the system and is the internal unique identifier for the device group.

With Identity Provider

    graph LR
        subgraph Keycloak
            subgraph roles
                r1[ie-management.Admin \n ie-management.DeviceOwner \n realm-management.realm-admin]
                r4[ie-management.User \n ie-management.iem.line1-device-admins.34632]
                r5[ie-management.User \n ie-management.iem.line2-device-admins.79854]
            end
            subgraph groups[groups]
                A[iem-admins]
                B[line1-device-admins]
                C[line2-device-admins]
            end
        end

        subgraph IdP["Identity Provider"]
            D[Central IT group </br> id=1234]
            E[Maintenance Line1 </br> id=5678]
            F[Maintenance Line2 </br> id=9012]
        end

        subgraph user[Users]
        end

        A -->|includes| r1
        B -->|includes| r4
        C -->|includes| r5
        D -->|maps to| A
        E -->|maps to| B
        F -->|maps to| C
        user -->|assigned to| IdP

Create a mapper for a specific identity provider:

  1. Open the "Identity providers" menu.
  2. Click on the specific identity provider.
  3. Switch to the "Mappers" tab.

  4. Click "Add mapper":

    • Choose a name for the mapper.
    • Choose an appropriate sync mode overwrite.
    • Use "Advanced claim to group" as mapper type.
    • Add all necessary claims and values of the external identity provider.
    • Select name as group.
    • Click "Save".

Now authorized users can manage the group membership in the external identity provider.