IoT Cloud distinguishes several identity layers to separate human access, automation, and role-based governance.
A global user is created by the selected authentication mechanism in DBM.
Inside each instance, logged-in users are mirrored as cached users.
A device is an automation identity created by users.
Individual is a union type over cached user and device.
Roles are organizational containers used for permissions.
Roles then receive permissions on projects, object structures, and objects.
Groups are user-managed roles typically used for shared project/object access and device ownership patterns.
Users and devices create individual API keys for JSON-RPC and other API use.
Each key can be additionally restricted to a subset of the owner's permissions.
Typical setup:
Instance-level user capabilities are defined by instance user permissions and inherited project logic.
Project-level and object/data-level rights are assigned via role permissions and defaults, separately for user and device individuals.