Identity and Authentication
Centiloc uses Keycloak technology to provide you with access control system to Centiloc services.
Check out URLs to retrieve the access to your Keycloak environment.
The aim of this tool is to provide you with a RBAC system, helping you to manage different profil of Centiloc users. These can be humans but also, of course, bots.
Over time, more features will be integrated in the Centiloc Data Platform which access you may want to handle accurately.
But you can choose to only create a single account shared with all your applications or team-members.
For support and maintenance reasons, the member of Operation and Support team of Centiloc can have access to your keycloak environment. They won’t ever consult them unless you asked for support (reset admin password for instance…).
Moreover, user information, that would be added to keycloak, are only used for access control. No data or metrics with their information are collected.
To support you with efficiency, your environment hosts a
centiloc.assistaccount. It is used by support team in case you need assistance.If you feel safer removing it, you are free to, and the support team won’t be able to access your environment anymore.
If you are not familiar with RBAC, we advise you to check RBAC concept.
Basically, you can create groups, users, and assign roles to both groups and users. These roles are pre-defined by Centiloc.
By default, if no role is assigned, the user will not be able to consume Centiloc services.
Then, when you set roles or attributes to groups, the members will automatically inherite from these roles and properties.
Only admin account can create groups and users
Centiloc provides 4 roles with different access rights:
- User: can consume Get endpoints only. This role is designed for users of the Geocore data.
- Editor: This role can update description information for the data stored in Geocore (these features will come soon).
- Maintainer: This role is adapted to persons that know how to set up and configure Centiloc Devices.
- Admin: Key role to manage all the services and also Keycloak Users and Groups.
| User | Editor | Maintainer | Admin | |
|---|---|---|---|---|
| geo.Board/Create, Delete (2) | ❌ | ❌ | ✅ | ✅ |
| geo.Board/Get | ✅ | ✅ | ✅ | ✅ |
| geo.Board/Update WiFi | ✅ | ✅ | ✅ | ✅ |
| geo.Board/Enrol RS485 | ❌ | ❌ | ✅ | ✅ |
| geo.Board/Update data (1) | ❌ | ❌ | ✅ | ✅ |
| geo.Item/Get | ✅ | ✅ | ✅ | ✅ |
| geo.Item/SetURL | ❌ | ✅ | ✅ | ✅ |
| geo.Item/SetLabel | ❌ | ✅ | ✅ | ✅ |
| geo.Item/Create, Delete (2) | ❌ | ❌ | ✅ | ✅ |
| geo.Gateway/Create, Delete (2) | ❌ | ❌ | ✅ | ✅ |
| geo.Gateway/Get | ✅ | ✅ | ✅ | ✅ |
| geo.Gateway/Configure | ❌ | ❌ | ✅ | ✅ |
| Keycloak admin | ❌ | ❌ | ❌ | ✅ |
- Update board consists in SetRFType, Change Dimensions, margins…
- for onPremise installation
Inventory module
| User | Editor | Maintainer | Admin | |
|---|---|---|---|---|
| inventory.Furniture/Create, Delete |
❌ | ✅ | ❌ | ✅ |
| inventory.Furniture/Get | ✅ | ✅ | ✅ | ✅ |
| inventory.Shelf/Create,Delete | ❌ | ✅ | ❌ | ✅ |
| inventory.Shelf/Get | ✅ | ✅ | ✅ | ✅ |
| inventory.Location/Create,Delete | ❌ | ✅ | ❌ | ✅ |
| inventory.Location/Get | ✅ | ✅ | ✅ | ✅ |
| inventory.Product/Create,Delete | ❌ | ✅ | ❌ | ✅ |
| inventory.Product/Update (1) | ❌ | ✅ | ❌ | ✅ |
| inventory.Product/Enrol | ✅ | ✅ | ✅ | ✅ |
- Update product consists in Set redirection URL and 3D Models
When managing roles for your groups and users, you will see other roles handled by keycloak:
default-roles-<tenantID>offline_accessuma_authorization
Please do not use them. They are assigned to any users to make sure all the functionalities work. We are studying how to remove them.
You can ask support for more details about these roles.
At the moment, only a single factor password presentation is required. Following the recommendation of French ANSSI about password settings, the constraints are:
- expires every 5 years
- shall be different from 3 last passwords
- minimum length 16
- maximum length 32
- neither username nor email
- at least 1 uppercase character, 1 lowercase character, 1 special character, 1 digit
- allows at max two consecutive identical characters/digits
Keycloak supports lot of Identity delegation and synchronization technologies. If you wish to configure it, please ask support team to provide youradminaccount with sufficient rights.