Managing Access Rights

A more technical look at the details regarding Service Account management.

Hierarchy

Service Accounts are designed to be flexible enough to accommodate most organizational structures. They can be given access to any number of projects or organizations as required, with a specific level of permissions in each. The access rights hierarchy can be summarized in a few points.

  • A Service Account is created under a project which becomes its owner.

  • A Service Account can be a member of other projects and organizations.

  • The Service Account membership is assigned a role for that project or organization.

  • A role provides the member with permissions within the related project or organization.

Manage Service Accounts

When first creating a Service Account within a project, the Service Account will not be a member of any projects or organizations, including the project it is owned by. In DT Studio, the “Role in current Project” option will show as “No access”, and can be changed to give the Service Account access to the resources in this project.

Creating a Service Account

Please refer to our introductory guide on Creating a Service Account.

Deleting a Service Account

DT Studio
REST API
DT Studio

In your project, navigate to the API Integrations -> Service Accounts page. Locate the Service Account you wish to remove, then click the Remove-button.

REST API

Send a DELETE request to:

https://api.d21s.com/v2/projects/<PROJECT_ID>/serviceaccount/<SERVICEACCOUNT_ID>

Example

Using cURL with a Service Account for authentication, the following example deletes the Service Account specified by its ID.

curl -X DELETE "https://api.d21s.com/v2/projects/<PROJECT_ID>/serviceaccounts/<DELETING_SERVICE_ACCOUNT_ID>" \
-u "<SERVICE_ACCOUNT_KEY_ID>":"<SERVICE_ACCOUNT_SECRET>"

Members

A single Service Account can be a member of several projects and organizations. These members are unique and independent from each other, allowing for different roles to be assigned.

Manage Project Members

A User or Service Account must have the role of Project Admin or higher to manage members.

New Project Member

DT Studio
REST API
DT Studio

In your project, navigate to the Project Settings page. Here, using the email of the Service Account you wish to add, select a role and click Invite Member. This can be changed later.

REST API

Send a POST request to:

https://api.d21s.com/v2/projects/<PROJECT_ID>/members

A request body with the following parameters is required.

{
"roles": [
"roles/<ROLE>"
],
"email": "<SERVICE_ACCOUNT_EMAIL>"
}

A list of all available parameters can be found in our REST API Reference and a list of all roles and their permissions under the Roles subsection on this very page.

Example Usage

Using cURL with a Service Account for authentication, the following example grants the specified Service Account the role of Project Developer in the specified project.

curl -X POST "https://api.d21s.com/v2/projects/<PROJECT_ID>/members" \
-u "<SERVICE_ACCOUNT_KEY_ID>":"<SERVICE_ACCOUNT_SECRET>" \
-d '{"roles": ["roles/project.developer"], "email": "<SERVICE_ACCOUNT_EMAIL>"}'

Remove Project Member

DT Studio
REST API
DT Studio

In your project, navigate to the Project Settings page. Locate the member you wish to remove, then click the Remove-button. For reference, see the image under New Project Member.

REST API

Send a DELETE request to:

https://api.d21s.com/v2/projects/<PROJECT_ID>/members/<MEMBER_ID>

Here, <MEMBER_ID> is either the ID of a Service Account or User.

Example Usage

Using cURL with a Service Account for authentication, the following example removes the specified Service Accounts membership in the specified project.

curl -X DELETE "https://api.d21s.com/v2/projects/<PROJECT_ID>/members/<SERVICE_ACCOUNT_ID>" \
-u "<SERVICE_ACCOUNT_KEY_ID>":"<SERVICE_ACCOUNT_SECRET>"

Manage Organization Members

A User or Service Account must have the role of Organization Admin or higher to manage members.

New Organization Member

DT Studio
REST API
DT Studio

In any project, navigate to the Administrators page. Currently, the only role available for an organization member is organization.admin, hence the naming conventions used in DT Studio. Using the email of the Service Account you wish to add, click Invite Administrator.

Note that an organization.admin will obtain the same permissions as a project.admin in every single project under the organization in question.

REST API

Send a POST request to:

https://api.d21s.com/v2/organizations/<ORGANIZATION_ID>/members

A request body with the following parameters is required.

{
"roles": [
"roles/<ROLES>"
],
"email": "<SERVICE_ACCOUNT_EMAIL>"
}

A list of all available parameters can be found in our REST API Reference. Currently, the only role availbale is organization.admin.

Example Usage

Using cURL with a Service Account for authentication, the following example grants the specified Service Account the role of Organization Admin in the specified organization.

curl -X POST "https://api.d21s.com/v2/organizations/<ORGANIZATION_ID>/members" \
-u "<SERVICE_ACCOUNT_KEY_ID>":"<SERVICE_ACCOUNT_SECRET>" \
-d '{"roles": ["roles/organization.admin"], "email": "<SERVICE_ACCOUNT_EMAIL>"}'

Remove Organization Member

DT Studio
REST API
DT Studio

In any project, navigate to the Administrators page. Locate the member you wish to remove, then click the Remove-button. For reference, see the image under New Organization Member.

REST API

Send a DELETE request to:

https://api.d21s.com/v2/organizations/<ORGANIZATION_ID>/members/<MEMBER_ID>

Here, <MEMBER_ID> is either the ID of a Service Account or User.

Example Usage

Using cURL with a Service Account for authentication, the following example removes the specified Service Accounts membership in the specified organization.

curl -X DELETE "https://api.d21s.com/v2/organizations/<ORGANIZATION_ID>/members/<SERVICE_ACCOUNT_ID>" \
-u "<SERVICE_ACCOUNT_KEY_ID>":"<SERVICE_ACCOUNT_SECRET>"

Roles

A role contains a set of permissions that determines which actions a member is authorized to perform on a specific resource in DT Cloud. To make permissions available to members, you grant them the role that provides the desired set of permissions.

The following roles are available.

  • project.user

  • project.developer

  • project.admin

  • organization.admin

Managing Roles

Roles can be managed by users or Service Account Members with an assigned role of Project Administrator or Organization Administrator for projects and organization levels. The role of a member is managed in the same place where the member itself is managed. See the Members section for details on where this is located, or use our REST API endpoint for Membership and Access Control.

Permissions

The following table shows a complete list of permissions granted by role.

Permission

project .user

project .developer

project .admin

organization .admin

dataconnector.create

X

X

X

dataconnector.read

X

X

X

X

dataconnector.update

X

X

X

dataconnector.delete

X

X

X

device.read

X

X

X

X

device.update

X

X

X

device.transfer

X

X

emulator.create

X

X

X

emulator.read

X

X

X

X

emulator.update

X

X

X

emulator.delete

X

X

X

membership.create

X

X

membership.read

X

X

X

X

membership.update

X

X

membership.delete

X

X

organization.read

X

organization.update

X

project.create

X

project.read

X

X

X

X

project.update

X

X

project.delete

X

X

serviceaccount.create

X

X

serviceaccount.read

X

X

X

X

serviceaccount.update

X

X

serviceaccount.delete

X

X

serviceaccount.key.create

X

X

serviceaccount.key.read

X

X

X

X

serviceaccount.key.delete

X

X