| Entity | Scope | Description |
|---|---|---|
| Global user | Application-wide | Created by authentication (Credentials / OAuth / Shibboleth) in DBM |
| Cached user | Instance | Mirror of a global user inside an instance. Has instance-level permissions |
| Device | Instance | Automation agent created by users. Avoids sharing personal API keys |
| Individual | Instance | Superset of cached user and device. API keys and audit records use individual |
Every cached user and every device has an individual record. Most instance-level records store the author as an individual (not user or device directly).
Permissions are assigned to roles, not directly to individuals.
| Role type | Description |
|---|---|
| Profile | Every user automatically has a personal profile role |
| Group | Created by users (GROUP_ORGANIZER required). Used for shared access and device ownership |
Roles receive permissions on: projects, object structures, and objects.
Both users and devices can be members of roles, but with different permission sets.
UserRolePermissions)| Permission | Effect |
|---|---|
OWNER |
Edit and delete the role |
USER_MODERATOR |
Invite/remove users, manage their permissions (not owner's unless also owner) |
DEVICE_MODERATOR |
Create/add/remove devices and their permissions |
DEVICE_DESIGNER |
Configure devices in the role |
DeviceRolePermissions)These are inverse — they define what the role can do to the device:
| Permission | Effect |
|---|---|
IS_OWNED |
Device can be deleted by the group |
IS_CONFIGURED |
Device can be configured; its API keys are visible |
IS_MODERATED |
Device can be added to another group |
Groups are the primary way to share access across multiple users and devices.
ARCHITECT on assigned projectsSee Devices for details.
Both users and devices create individual API keys for JSON-RPC and other APIs.
Each key can optionally restrict permissions below the individual's full set. This is useful for limited-scope automation scripts.
See Permissions for the full authorization model.