User Roles of ESP RainMaker
ESP RainMaker defines three types of Users, each with different levels of access and responsibilities:
- SuperAdmin User (Only relevant for Private RainMaker)
- Admin User
- End User
Super Admin User
SuperAdmin User exist only in a private RainMaker deployment. They have the highest level of control and can:
- Manage all admin users.
- Manage all deployment related operations.
- Oversee all devices under the deployment.
- Control user access and security policies.
It is recommended to only have a small number of SuperAdmin Users due to security and the high level of accessibility.
-
A SuperAdmin user has all the access rights of an Admin, with additional privileges exclusive to a SuperAdmin.
View all accessible features for Admins and SuperAdmins.
-
A SuperAdmin User is appointed on step 4 of deploying backend services during the deployment of Private RainMaker.
-
Only SuperAdmin Users have access to admin CLI
-
A SuperAdmin User can access the node via ESP RainMaker Dashboard and also push OTA firmware updates.
-
A SuperAdmin User cannot read/write the node parameters.
Admin Users
In Public RainMaker
A user who owns the MQTT credentials of a given node is the Admin User.
- In other words, the user possessing the certificate, private key, and any required authentication details for the node has administrative control over it.
- The Admin user can also be an End User for that node when User-Node mapping is successfully done or when Node Sharing happens.
For example, a user who Claims a node either using Host Driven Claiming or Assisted Claiming becomes an admin user for the given node. For Self Claiming, the user who provisioned the node becomes the admin user.
Assisted Claiming which happens during Bluetooth LE provisioning from phone apps is a special case. The logged in user first gets the admin access during the Assisted Claiming workflow and then also gets the primary user access via the user-node mapping workflow, both of which are incorporated into the Bluetooth LE provisioning workflow.
In Private RainMaker
Any Users added to the private deployment of RainMaker account gets admin access to the node and becomes an Admin User.
- Admin Users can access the node via ESP RainMaker Dashboard and also push OTA firmware updates.
- Admin Users cannot read/write the node parameters in Private RainMaker Deployment.
End Users
There are two types of End Users:
- Primary User
- Secondary User
Primary User
A user who performs the user-node mapping workflow for a node becomes the primary user of the node.
- Able to Share the node with other users with primary or secondary user role.
- Access to the node's config.
- Able to read or write node parameters.
- Able to add, remove or view other secondary users.
Support for multiple primary users is now available.
Secondary Users
Any user who gets 'secondary' access to a node via node sharing becomes secondary user for the node.
- Access to the node's config.
- Able to read/Write the node parameters.
- Add, remove, or view other secondary users are not permitted.
Why introduce such roles?
Imagine you're developing smart home devices and want your friends and family to test them. First, you set up all the devices and take admin access, allowing you to monitor them through a dashboard and send software updates based on user feedback. However, you cannot directly control the devices—only the actual users can.
The people using the devices—your friends and family—need to set them up on their home Wi-Fi and link them to their accounts using a phone app. This step gives them primary user access, allowing them to control and monitor the devices. If they want to share access with others, like family members, they can do so by adding them as secondary users, who also get control but cannot manage sharing settings.
This structured approach ensures clear separation of responsibilities in ESP RainMaker. SuperAdmin/Admin users focus on device management, software updates, and troubleshooting, while end users control the devices based on their needs. This prevents unintended access while allowing flexibility for sharing.