Roles & Permissions
Each action within the Spotflow IoT Platform requires certain permissions. The platform uses a role-based access control (RBAC) system to manage these permissions. This system determines which permissions a user has based on the roles assigned to them.
The roles are defined and assigned on the level of individual assets, such as Workspaces, Stream Groups, Streams, Egress Sinks, Service Accounts, and Fleet Configurations. Thanks to that, you can granularly control who can access each part of your system. See the Roles Reference for a list of available roles and the permissions they grant.
Assigning And Revoking Roles
To assign or revoke a user role, use the Assign Role and Revoke Role API endpoints.
The provided assetId must be a fully qualified identificator of the asset:
- Workspace:
/workspaces/{workspaceId} - Stream Group:
/workspaces/{workspaceId}/stream-groups/{streamGroupId} - Stream:
/workspaces/{workspaceId}/stream-groups/{streamGroupId}/streams/{streamId} - Egress Sinks:
/workspaces/{workspaceId}/egress-sinks/{egressSinkId} - Service Accounts:
/workspaces/{workspaceId}/service-accounts/{serviceAccountId} - Fleet Configuration:
/workspaces/{workspaceId}/fleet-configurations/{fleetConfigurationId}
Roles Reference
The following table lists all available roles and their permissions. The prefix of each role indicates the type of asset it can be assigned to.
Role
Permissions
/workspaces/ownerThe permissions of
/workspaces/contributor and the following:workspaces.egress-sinks.roles:assignworkspaces.fleet-configurations.roles:assignworkspaces.roles:assignworkspaces.service-accounts.api-keys:createworkspaces.service-accounts.api-keys:revokeworkspaces.service-accounts.api-keys:updateworkspaces.service-accounts.roles:assignworkspaces.service-accounts:createworkspaces.service-accounts:deleteworkspaces.service-accounts:updateworkspaces.stream-groups.roles:assignworkspaces.stream-groups.streams.roles:assignworkspaces.stream-groups.streams.stream-partitioning:updateworkspaces:delete/workspaces/contributorThe permissions of
/workspaces/reader and the following:workspaces.alert-notification-targets:createworkspaces.alert-notification-targets:deleteworkspaces.alert-notification-targets:updateworkspaces.alert-rules:createworkspaces.alert-rules:deleteworkspaces.alert-rules:updateworkspaces.alerts:acknowledgeworkspaces.devices.c2d-messages:sendworkspaces.devices.desired-properties:updateworkspaces.devices.http-proxy:useworkspaces.devices.tags:updateworkspaces.devices:deleteworkspaces.egress-sinks.secrets:readworkspaces.egress-sinks:createworkspaces.egress-sinks:deleteworkspaces.egress-sinks:updateworkspaces.fleet-configurations:createworkspaces.fleet-configurations:deleteworkspaces.fleet-configurations:updateworkspaces.fleet-configurations:validateworkspaces.grafana:contributeworkspaces.provisioning-operations:resolveworkspaces.provisioning-tokens:createworkspaces.provisioning-tokens:regenerateworkspaces.registration-tokens:createworkspaces.registration-tokens:revokeworkspaces.stream-groups.stream-storage.secrets:readworkspaces.stream-groups.streams.egress-routes:createworkspaces.stream-groups.streams.egress-routes:deleteworkspaces.stream-groups.streams.egress-routes:updateworkspaces.stream-groups.streams:createworkspaces.stream-groups.streams:deleteworkspaces.stream-groups.streams:updateworkspaces.stream-groups:createworkspaces.stream-groups:deleteworkspaces.stream-groups:updateworkspaces.workspace-storage.secrets:readworkspaces.workspace-storage:useworkspaces:update/workspaces/readerworkspaces.alert-notification-targets:readworkspaces.alert-rules:readworkspaces.alerts:listworkspaces.devices.desired-properties:readworkspaces.devices.reported-properties:readworkspaces.devices.tags:readworkspaces.devices:readworkspaces.egress-sinks:readworkspaces.fleet-configurations:readworkspaces.grafana:readworkspaces.provisioning-operations:readworkspaces.provisioning-tokens:readworkspaces.service-accounts:readworkspaces.stream-groups.streams:readworkspaces.stream-groups:readworkspaces:read/workspaces/data-flows-contributorworkspaces.stream-groups.stream-storage.secrets:readworkspaces.stream-groups.streams.egress-routes:createworkspaces.stream-groups.streams.egress-routes:deleteworkspaces.stream-groups.streams.egress-routes:updateworkspaces.stream-groups.streams:createworkspaces.stream-groups.streams:deleteworkspaces.stream-groups.streams:readworkspaces.stream-groups.streams:updateworkspaces.stream-groups:createworkspaces.stream-groups:deleteworkspaces.stream-groups:readworkspaces.stream-groups:updateworkspaces.workspace-storage.secrets:readworkspaces.workspace-storage:useworkspaces:read/workspaces/egress-sink-contributorworkspaces.egress-sinks.secrets:readworkspaces.egress-sinks:createworkspaces.egress-sinks:deleteworkspaces.egress-sinks:readworkspaces.egress-sinks:updateworkspaces:read/workspaces/devices-operatorworkspaces.devices.c2d-messages:sendworkspaces.devices.desired-properties:readworkspaces.devices.desired-properties:updateworkspaces.devices.http-proxy:useworkspaces.devices.reported-properties:readworkspaces.devices.tags:readworkspaces.devices.tags:updateworkspaces.devices:deleteworkspaces.devices:readworkspaces.provisioning-operations:readworkspaces.provisioning-operations:resolveworkspaces.provisioning-tokens:createworkspaces.provisioning-tokens:readworkspaces.provisioning-tokens:regenerateworkspaces.registration-tokens:createworkspaces.registration-tokens:revokeworkspaces:read/workspaces/fleet-configurations-contributorworkspaces.fleet-configurations:createworkspaces.fleet-configurations:deleteworkspaces.fleet-configurations:readworkspaces.fleet-configurations:updateworkspaces.fleet-configurations:validateworkspaces:read/workspaces/alerting-contributorworkspaces.alert-notification-targets:createworkspaces.alert-notification-targets:deleteworkspaces.alert-notification-targets:readworkspaces.alert-notification-targets:updateworkspaces.alert-rules:createworkspaces.alert-rules:deleteworkspaces.alert-rules:readworkspaces.alert-rules:updateworkspaces.alerts:acknowledgeworkspaces.alerts:listworkspaces:read/workspaces/grafana-readerworkspaces.grafana:read/workspaces/grafana-contributorThe permissions of
/workspaces/grafana-reader and the following:workspaces.grafana:contribute/workspaces/stream-partitioning-contributorworkspaces.stream-groups.streams.stream-partitioning:updateworkspaces:read/stream-groups/ownerThe permissions of
/stream-groups/contributor and the following:workspaces.stream-groups.roles:assignworkspaces.stream-groups.streams.roles:assignworkspaces.stream-groups.streams.stream-partitioning:update/stream-groups/contributorThe permissions of
/stream-groups/reader and the following:workspaces.stream-groups.stream-storage.secrets:readworkspaces.stream-groups.streams.egress-routes:createworkspaces.stream-groups.streams.egress-routes:deleteworkspaces.stream-groups.streams.egress-routes:updateworkspaces.stream-groups.streams:createworkspaces.stream-groups.streams:deleteworkspaces.stream-groups.streams:updateworkspaces.stream-groups:deleteworkspaces.stream-groups:update/stream-groups/readerworkspaces.stream-groups.streams:readworkspaces.stream-groups:readworkspaces:read/stream-groups/stream-partitioning-contributorworkspaces.stream-groups.streams.stream-partitioning:updateworkspaces.stream-groups.streams:readworkspaces.stream-groups:readworkspaces:read/streams/ownerThe permissions of
/streams/contributor and the following:workspaces.stream-groups.streams.roles:assignworkspaces.stream-groups.streams.stream-partitioning:update/streams/contributorThe permissions of
/streams/reader and the following:workspaces.stream-groups.streams.egress-routes:createworkspaces.stream-groups.streams.egress-routes:deleteworkspaces.stream-groups.streams.egress-routes:updateworkspaces.stream-groups.streams:deleteworkspaces.stream-groups.streams:update/streams/readerworkspaces.stream-groups.streams:readworkspaces.stream-groups:readworkspaces:read/streams/stream-partitioning-contributorworkspaces.stream-groups.streams.stream-partitioning:updateworkspaces.stream-groups.streams:readworkspaces.stream-groups:readworkspaces:read/egress-sinks/ownerThe permissions of
/egress-sinks/contributor and the following:workspaces.egress-sinks.roles:assign/egress-sinks/contributorThe permissions of
/egress-sinks/reader and the following:workspaces.egress-sinks.secrets:readworkspaces.egress-sinks:deleteworkspaces.egress-sinks:update/egress-sinks/readerworkspaces.egress-sinks:readworkspaces:read/service-accounts/ownerThe permissions of
/service-accounts/contributor and the following:workspaces.service-accounts.roles:assign/service-accounts/contributorThe permissions of
/service-accounts/reader and the following:workspaces.service-accounts.api-keys:createworkspaces.service-accounts.api-keys:revokeworkspaces.service-accounts.api-keys:updateworkspaces.service-accounts:deleteworkspaces.service-accounts:update/service-accounts/readerworkspaces.service-accounts:readworkspaces:read/fleet-configurations/ownerThe permissions of
/fleet-configurations/contributor and the following:workspaces.fleet-configurations.roles:assign/fleet-configurations/contributorThe permissions of
/fleet-configurations/reader and the following:workspaces.fleet-configurations:deleteworkspaces.fleet-configurations:update/fleet-configurations/readerworkspaces.fleet-configurations:readworkspaces:read