Formant IAM is based on a hybrid ABAC-RBAC identity and access management solution. This solution provides the capability to enforce rules based on group or individual profiles and business environment parameters.
Role-based access control (RBAC) is an access control mechanism defined around roles and privileges. Roles define access policies -- authority to access specific Formant resources. Users who perform the same function for an organization are placed into groups by an administrator. Groups are then given one or more roles.
Attributes-based access control (ABAC) is an authorization strategy that defines permissions based on attributes. In Formant, these attributes are called tags -- which is a key:value pair. Using ABAC, the access can be further scoped down for a group of users or individual users to a subset of entities within the resource.
The five core pillars of Formant IAM are explained below:
Resources are pre-defined Formant features or capabilities exposed to the user. A few examples of resources are user, devices, Views, Commands etc. For a full list of the resources that can be accessed, see the resources section.
A role is a collection of permissions. Roles can be applied to groups or to individual users. Only a single role can be assigned to users or teams. Your organization in Formant comes with the following built-in roles:
Organization administrator is an administrator of all resources. The first user is, by default, an organization administrator. There needs to be at least one organization administrator per organization.
Viewers are allowed to view all resources within the organization. They are allowed to view telemetry data, and events. This role is typically used for high-level users such as customers.
In addition to viewing all resources Operators are allowed to send commands and teleoperate devices
For a full list of the resources that can be accessed by each role, see the resources section.
Users are individual accounts for users of Formant. All users have to have a role, but users need not be part of a team. There are two types of user accounts.
- Regular user accounts: These are named user accounts that represent a human being.
- Service user accounts: These are accounts that represent non-human that needs to be authenticated and authorized to access Formant APIs.
Teams are a collection of users who perform a similar task. For example, a team of tech service representatives might be put in a "Tech Services" team.
Users in a team can only have one role. If a user with a different role is assigned to a team, the user will be assigned the role inherited through the Team.
Just like an individual user, a Team's access can be further scoped down by limiting access to a set of resources, instead of all the resources within Formant. For example, a team can be limited to being an administrator of a subset of devices instead of all devices within Formant. This is achieved through tags, see the tag-based access control section for learning more about this advanced setting.
User's access to a resource can be further scoped down to subset of entities within that resource (e.g. specific devices or specific Views etc) instead of all the entities within that resource. For example, a user can be limited to being an administrator of a subset of devices instead of all devices. This is achieved through tags, see the scoping down access section for learning more about this advanced setting.
Updated about 1 month ago