Skip to content

Best practices

General

The following page describes the necessary steps for typical customer scenarios from an Identity and Access Management (IAM) perspective. This description applies to the Industrial Edge Management (IEM) product in its various offerings, unless explicitly limited in a chapter:

  • IEM Pro

Prerequisites for the initial steps are a properly set up IEM environment and a user with the following roles:

  • ie-management.Admin
  • realm-management.realm-admin

NOTICE

The initial mandatory user includes both roles.

The described procedures assume the following knowledge:

IAM:

  • Create custom roles
  • Add client-specific roles to user groups
  • Add users to groups
  • Add identity providers
  • Create mappers for identity providers

IEM:

  • Create device groups
  • Add devices to groups

Scenario 1: Central group for operating IEM and device administration

Overview

A central user group called iem-admins serves as the operator for IEM and device administration.

Users in the iem-admins group can, for example:

  • manage users
  • administer IEM system
  • create devices
  • organize devices in groups
  • manage existing devices, such as performing firmware updates
graph LR
    subgraph Keycloak
        subgraph groups
            A[iem-admins]
        end
    end

Procedure

To create such a group, follow these steps:

  1. Navigate to “Identity & Access Management”.
  2. Open the “Groups” menu.
  3. Click the “Create group” button.
  4. Choose a name, e.g iem-admins for the group and click “Create”.
  5. Click on the name of the group.
  6. Switch to the “Role mapping” tab.
  7. Click “Assign role”.
  8. Change the filter to “Filter by clients”.

  9. Select the following roles:

    • ie-management.Admin
    • realm-management.realm-admin

  10. Click "Assign"

  11. Switch to the "Members" tab.
  12. Click "Add member".
  13. Select / Deselect desired users
  14. Click "Add"

Scenario 2: Locations / production lines granular device access

Overview

Ensure that you have properly set up the IEM environment and a user with the following roles:

  • ie-management.Admin
  • realm-management.realm-admin

This scenario includes a central group called iem-admins for iem administration and two production lines.

Users in the iem-admins group can, for example:

  • delegate device administration by organizing devices into production line specific groups

Each production line has its own group of device administrators. The groups are called line1-device-admins and line2-device-admins.

Users in the device administrator groups can perform the following actions on the devices in their production line, for example:

  • update firmware
  • install, configure, update, and delete apps
    flowchart LR
        subgraph Keycloak
            subgraph groups
                A[iem-admins]
                B[line1-device-admins]
                C[line2-device-admins]
            end
        end

Procedure

Set up the central IT as described in Scenario 1

Granular device access for locations/production lines requires the following steps:

IEM

  1. Navigate to “Edge Management” and open "Group management" menu

  2. Create a device group:

    • Choose a unique name for the group (to identify the corresponding role in IAM), for example "line1-devices".
    • Click “Ok”.

  3. Add the edge devices of the production line to that group.

IAM

  1. Navigate to “Identity & Access Management”.
  2. Create a custom access role for each production line, for example "line1-devices-admin-access"
  3. Create a group for each production line, for example "line1-device-admins"

  4. Assign the following roles to each group:

    • ie-management.User
    • the role created in step 2, for example "line1-devices-admin-access"

  5. Add or remove users from these groups as needed.

With Identity Provider

    graph LR
        subgraph Keycloak
            subgraph roles
                r1[ie-management.Admin \n realm-management.realm-admin]
                r4[ie-management.User \n ie-management.line1-devices-admin-access]
                r5[ie-management.User \n ie-management.line1-devices-admin-access]
            end
            subgraph groups[groups]
                A[iem-admins]
                B[line1-device-admins]
                C[line2-device-admins]
            end
        end

        subgraph IdP["Identity Provider"]
            D[Central IT group </br> id=1234]
            E[Maintenance Line1 </br> id=5678]
            F[Maintenance Line2 </br> id=9012]
        end

        subgraph user[Users]
        end

        A -->|includes| r1
        B -->|includes| r4
        C -->|includes| r5
        D -->|maps to| A
        E -->|maps to| B
        F -->|maps to| C
        user -->|assigned to| IdP

Create a mapper for a specific identity provider:

  1. Open the "Identity providers" menu.
  2. Click on the specific identity provider.
  3. Switch to the "Mappers" tab.

  4. Click "Add mapper":

    • Choose a name for the mapper.
    • Choose the appropriate sync mode: overwrite.
    • Use "Advanced claim to group" as mapper type.
    • Add all necessary claims and values of the external identity provider.
    • Select 'name' as group.
    • Click "Save".

Now, authorized users can manage group membership in the external identity provider.