Cloud/station role mapping (station and application layers)
Cloud roles typically reflect user segmentation from the cloud application perspective and control user access (RBAC). Cloud roles are defined by cloud application developers and/or operations.
Station roles reflect segmentation from the particular station (building) perspective. The station security system uses a role-based access control approach to control user permissions. The station owner and/or integrator who installs and configures the station defines station roles.
To have the ability to control the execution of cloud commands, the station should know at least the user role and the mapping between user cloud role (provided as one of JWT claim) and some predefined station role (used to control permission on the station level).
For example, from the cloud application side, standard and VIP hotel guests could have different roles but, to the station they have the same role: extremely restricted user.
Figure 7. Cloud-to-station roles mapping
Important comments
- The system rejects a command received without a cloud role or with a cloud role that is not mapped to a station role (refer to the overall station command flow diagram).
- The system tries to execute, but rejects commands with a user context defined by a mapped station role whose station role permissions are not enough to perform the required action.
- MVO3 has a different (incorrect) implementation. Instead of mapping, it directly uses the values of a JWT claim as station roles. MVO4 will correct this.
| ACTION: Configure role mapping |
|---|
|
Create reasonable station roles to provide the required level of security and access control. Configure the mapping of cloud roles to station roles. |