This page explains how permissions work inside an instance. For DBM administration permissions, see Admin Permissions.
Permissions use bitmasks. Three possible states per scope:
| Value | Meaning |
|---|---|
null |
No access at all — entity is invisible |
0 |
Base access — can see the entity (no special rights) |
> 0 |
Specific permission bits enabled |
Permissions are evaluated top-down. Each level adds to the previous:
Instance → Project → Object Structure (OT) → Object
| Level | Sources |
|---|---|
| Instance | Sum of role permissions + instance default user permissions |
| Project | Role permissions on project + project default user permissions. If ALL_PROJECTS_ACCESS: also instance permissions |
| OT | Role permissions on OT + project permissions |
| Object | Role permissions on object + OT permissions (unless private without PRIVATE_OBJECTS_ENTRUSTED) |
| Level | Sources |
|---|---|
| Instance | Devices are always inside — no instance check |
| Project | Role permissions on project + project default device permissions |
| OT | Role permissions on OT + project permissions |
| Object | Role permissions on object + OT permissions (unless private) |
UserInstancePermissions extends all project permissions plus:
| Permission | Effect |
|---|---|
ALL_PROJECTS_ACCESS |
Base access to every project; instance permissions cascade into project authorization |
GROUP_ORGANIZER |
Can create groups |
User permissions (UserProjectPermissions):
| Permission | Effect |
|---|---|
OBJECT_MANAGER |
Create/edit/delete objects, truncate/change data table, access private objects |
DATA_ANALYST |
Read data |
DATA_SOURCE |
Insert data (and read last value) |
DATA_MANAGER |
Edit/delete data (and read last value) |
ARCHITECT |
Create/edit/delete OT/DT structures |
ROLE_MODERATOR |
Manage role permissions, invite users, manage default permissions |
ADMIN |
Manage projects, see history/details/deleted entities |
Device permissions (IndividualProjectPermissions):
Same data/object bits as users (OBJECT_MANAGER through DATA_MANAGER), plus:
| Permission | Effect |
|---|---|
PRIVATE_OBJECTS_ENTRUSTED |
Access all private objects with inherited permissions |
Both users and devices use IndividualTablePermissions:
| Permission | Effect |
|---|---|
OBJECT_MANAGER |
Manage objects in this OT/object |
DATA_ANALYST |
Read data from this OT/object |
DATA_SOURCE |
Insert data into this OT/object |
DATA_MANAGER |
Edit/delete data in this OT/object |
| Situation | Effective permissions |
|---|---|
| Object is not private | Object role perms + OT perms + project perms |
Object is private + user has PRIVATE_OBJECTS_ENTRUSTED |
Object role perms + OT perms + project perms |
| Object is private + no entrust | Object role perms only |
Roles (profiles and groups) are the carriers of permissions. Permissions are not assigned directly to users or devices — they're assigned to roles, and users/devices gain permissions through role membership.
UserRolePermissions)| Permission | Effect |
|---|---|
OWNER |
Edit and delete the role |
USER_MODERATOR |
Invite/remove users, manage their permissions (not owner's unless also owner) |
DEVICE_MODERATOR |
Create/add/remove devices and their permissions |
DEVICE_DESIGNER |
Configure devices |
DeviceRolePermissions)These are inverse — they describe what the role can do to the device:
| Permission | Effect |
|---|---|
IS_OWNED |
Device can be deleted by the group |
IS_CONFIGURED |
Device can be configured; API keys visible |
IS_MODERATED |
Device can be added to another group |
Effective user-device interaction depends on both sets:
DEVICE_MODERATOR + DEVICE_DESIGNER → full device controlDEVICE_MODERATOR only → no IS_CONFIGUREDDEVICE_DESIGNER only → no IS_OWNED, no IS_MODERATEDEvery instance and project defines default permissions separately for users and devices. These are added to everyone's effective permissions at that scope. Use them to set a baseline (e.g., all users get DATA_ANALYST on a project by default).
Templates have per-project permissions:
| Permission | Effect |
|---|---|
MANAGABLE |
Template can be used/edited by project ARCHITECT |
ADMINISTRABLE |
Template is visible to project ADMIN (even when deleted) |
| Scope | User permissions set | Device permissions set | Notes |
|---|---|---|---|
| Instance | UserInstancePermissions + user governance extension (UserProjectPermissions) |
N/A for instance-only bits | Devices are evaluated mainly from project and below. |
| Project | UserProjectPermissions + inherited table/data bits |
IndividualProjectPermissions (inherits table/data bits) |
This is where device project rights are assigned. |
| Object structure (OT) | table/data operational permissions | table/data operational permissions | Per-structure role grants refine project-level rights; OT permissions are combined with project permissions. |
| Object (O) | table/data operational permissions | table/data operational permissions | Object inherits OT/project rights; for private objects without PRIVATE_OBJECTS_ENTRUSTED, only object-level explicit rights are used. |
Note:
Usually missing:
Usually missing:
Usually missing: