User Roles of ESP RainMaker
ESP RainMaker defines three types of users, each with different levels of access and responsibilities:
- Superadmin user (Only relevant for private RainMaker)
- Admin user
- End user
Superadmin User
Superadmin users exist only in a private RainMaker deployment. They have the highest level of control and can:
- Manage all admin users.
- Handle all deployment-related operations.
- Oversee all devices under the deployment.
- Control user access and security policies.
It is recommended to have only a small number of Superadmin users due to security concerns and the high level of accessibility.
-
A Superadmin user has all the access rights of an admin, with additional privileges exclusive to Superadmins.
View all accessible features for Admins and Superadmins.
-
A Superadmin user is appointed during step 4 of deploying backend services in a private RainMaker deployment.
-
Only Superadmin users have access to the admin CLI.
-
A Superadmin user can access nodes via the ESP RainMaker dashboard and push OTA firmware updates.
-
A Superadmin user cannot read or write node parameters.
Admin Users
In Public RainMaker:
A user who owns the MQTT credentials of a given node is the admin user.
- In other words, the user possessing the certificate, private key, and any required authentication details for the node has administrative control over it.
- The admin user can also act as an end user for that node when user-node mapping is successfully completed or when node sharing occurs.
For example, a user who Claims a node using Host Driven Claiming or Assisted Claiming becomes the admin user for the given node. For Self Claiming, the user who provisions the node becomes the admin user.
Assisted Claiming, which occurs during Bluetooth LE provisioning via phone apps, is a special case. The logged-in user first gains admin access during the Assisted Claiming workflow and then also gains primary user access via the user-node mapping workflow, both of which are integrated into the Bluetooth LE provisioning workflow.
In Private RainMaker:
Any user added to the private deployment of a RainMaker account gains admin access to the node and becomes an admin user.
- Admin users can access nodes via the ESP RainMaker dashboard and push OTA firmware updates.
- Admin users cannot read or write node parameters in a private RainMaker deployment.
End Users
There are two types of end users:
- Primary user
- Secondary user
Primary User
A user who performs the user-node mapping workflow for a node becomes the primary user of the node.
- Can share the node with other users, assigning them either primary or secondary user roles.
- Has access to the node's configuration.
- Can read or write node parameters.
- Can add, remove, or view other secondary users.
Support for multiple primary users is now available.
Secondary Users
Any user who gets 'secondary' access to a node via node sharing becomes a secondary user for the node.
- Has access to the node's configuration.
- Can read or write node parameters.
- Cannot add, remove, or view other secondary users.
Why Introduce Such Roles?
Imagine you are developing smart home devices and want your friends and family to test them. First, you set up all the devices and take admin access, allowing you to monitor them through a dashboard and send software updates based on user feedback. However, you cannot directly control the devices—only the actual users can.
The people using the devices—your friends and family—need to set them up on their home Wi-Fi and link them to their accounts using a phone app. This step gives them primary user access, allowing them to control and monitor the devices. If they want to share access with others, like family members, they can do so by adding them as secondary users, who also get control but cannot manage sharing settings.
This structured approach ensures clear separation of responsibilities in ESP RainMaker. Superadmin and admin users focus on device management, software updates, and troubleshooting, while end users control the devices based on their needs. This prevents unintended access while allowing flexibility for sharing.