Platforms
Product Lines
Platforms Safecrete Safewall Mine Operating System (Coming Soon)
© 2026 IndustryOS
On this page

Access Control and Audit

Overview

Access control and audit logging are critical components of any IoT platform security strategy. IndustryOS provides comprehensive tools to manage user permissions, track user actions, and maintain compliance with security and regulatory requirements.

This documentation covers:

  • Role-based access control (RBAC)
  • Permission management
  • Audit log functionality
  • Compliance and monitoring

Role-Based Access Control

IndustryOS implements a hierarchical role-based access control system that defines what actions users can perform and which resources they can access.

User Hierarchy

IndustryOS supports the following user hierarchy:

  1. System Administrator - Has full access to the entire platform, including all tenants and system configuration
  2. Tenant Administrator - Has full access within their tenant, can manage users, devices, and resources
  3. Customer User - Has access to resources assigned to their customer account
  4. Generic User - Has limited access based on assigned permissions

Default Roles

IndustryOS provides several default roles with predefined permissions:

System Administrator

  • Full system configuration access
  • Tenant management
  • System-wide monitoring and audit
  • Global settings and policies
  • System updates and maintenance

Tenant Administrator

  • Tenant configuration and settings
  • User and customer management
  • Device and asset management
  • Dashboard and rule chain creation
  • Tenant-level integrations

Customer User

  • View assigned devices and assets
  • Access assigned dashboards
  • View telemetry and attributes
  • Create personal dashboards
  • Limited rule chain access

Custom Roles

IndustryOS allows you to create custom roles with specific permissions tailored to your organisation’s needs.

Creating a Custom Role

  1. Navigate to “Security” → “Roles”
  2. Click “+ Add Role”
  3. Configure the role:
    • Name - Descriptive name for the role
    • Type - Generic or Customer-specific
    • Permissions - Select from available permission groups
  4. Save the role

Permission Groups

Permissions are organised into groups based on functionality:

Entity Management

  • Create, read, update, delete devices
  • Create, read, update, delete assets
  • Create, read, update, delete customers
  • Manage entity relationships

Dashboard and Visualisation

  • View dashboards
  • Create and edit dashboards
  • Share dashboards
  • Export dashboard data

Data Access

  • Read telemetry data
  • Write telemetry data
  • Read attributes
  • Write attributes
  • Execute RPC commands

Rule Engine

  • View rule chains
  • Create and edit rule chains
  • Debug rule chains
  • Import/export rule chains

Administration

  • User management
  • System settings
  • Integration configuration
  • Audit log access

Assigning Roles to Users

To assign a role to a user:

  1. Navigate to “Users”
  2. Select the user or create a new user
  3. In the user details, select the appropriate role
  4. Assign the user to a customer (if applicable)
  5. Save the user configuration

Resource Ownership and Sharing

Entity Ownership

Each entity (device, asset, dashboard, etc.) in IndustryOS has an owner:

  • Tenant-Owned - Accessible to tenant administrators and users with appropriate permissions
  • Customer-Owned - Accessible to customer users and tenant administrators
  • User-Owned - Personal resources (e.g., private dashboards)

Sharing Resources

Resources can be shared across organisational boundaries:

Dashboard Sharing

  1. Open the dashboard
  2. Click the share icon
  3. Choose sharing options:
    • Public - Accessible via public link (with optional password)
    • Customer - Share with specific customers
    • User Group - Share with specific user groups
  4. Set permissions (view-only or edit)
  5. Save sharing settings

Device and Asset Assignment

Devices and assets can be assigned to customers:

  1. Navigate to the device or asset
  2. Click “Assign to customer”
  3. Select the target customer
  4. Confirm assignment

Once assigned, customer users can access the device or asset according to their role permissions.

Audit Logs

IndustryOS provides the ability to track user actions in order to keep audit logs. It is possible to log user actions related to main entities: assets, devices, dashboards, rules, and more.

Audit Log Features

  • Comprehensive Tracking - Log all user actions across the platform
  • Entity-Specific Logs - Track actions on specific devices, assets, or other entities
  • User Activity Monitoring - View all actions performed by a specific user
  • Detailed Information - Capture action type, timestamp, user, entity, and changes made
  • Search and Filter - Quickly find relevant audit entries

User Interface

Tenant administrators are able to review audit logs that belong to their tenant account. The administrator can set up date range and execute a full-text search for fetched entities.

The audit log interface displays:

  • Timestamp - When the action occurred
  • User - Who performed the action
  • Entity Type - Type of entity affected (Device, Asset, Dashboard, etc.)
  • Entity Name - Name of the specific entity
  • Action Type - Type of action performed (Created, Updated, Deleted, etc.)
  • Status - Success or failure of the action

The “Details” button allows reviewing low-level details of the logged action, including:

  • Before and after values for updates
  • Complete entity configuration
  • IP address and user agent
  • Additional context information

Audit Log Configuration

System administrators can configure audit log levels and behaviour.

Logging Levels

For each entity type, you can configure:

  • OFF - Disable logging for this entity type
  • W - Log write operations (create, update, delete)
  • RW - Log read and write operations (includes view operations)

Configuration Example

1
2
3
4
5
6
7
8
9
10
11
12
13

audit_log:
  enabled: true
  by_tenant_partitioning: MONTHS
  default_query_period: 30
  logging_level:
    mask:
      device: W
      asset: W
      dashboard: OFF
      customer: W
      user: RW
      rule: RW
      integration: RW

This configuration:

  • Disables logging for dashboards
  • Logs read and write operations for users and rules
  • Logs only write operations for devices, assets, and customers

Partitioning Strategy

The by_tenant_partitioning parameter controls how audit logs are partitioned:

  • MINUTES - For very high-volume systems
  • HOURS - For high-volume systems
  • DAYS - For medium-volume systems
  • MONTHS - For standard deployments (recommended)

Recommendation: Modify the partitioning parameter based on the number of devices and user actions that will be logged. The more actions you plan to log, the more precise partitioning is required. The approximate amount of records per partition should not exceed 500,000 records.

REST API Access

It is possible to fetch audit logs via REST API. There are several API calls that allow fetching entities related to a particular user, entity, customer, or fetching all records using page links.

Common API endpoints:

  • /api/audit/logs/{entityType}/{entityId} - Get logs for a specific entity
  • /api/audit/logs/user/{userId} - Get logs for a specific user
  • /api/audit/logs/customer/{customerId} - Get logs for a specific customer
  • /api/audit/logs - Get all audit logs with pagination

External Log Sink Configuration

System administrators can configure connection to external systems for pushing audit logs. This is useful for:

  • Long-term archival
  • Integration with SIEM systems
  • Centralised log management
  • Compliance requirements

Elasticsearch Integration

Configure Elasticsearch as an external sink:

1
2
3
4
5
6
7
8
9

sink:
  type: elasticsearch
  index_pattern: "@{TENANT}_AUDIT_LOG_@{DATE}"
  date_format: "YYYY.MM.DD"
  scheme_name: https
  host: elasticsearch.example.com
  port: 9200
  user_name: audit_user
  password: ${AUDIT_LOG_SINK_PASSWORD}

Index pattern placeholders:

  • @{TENANT} - Substituted by tenant ID
  • @{DATE} - Substituted by current date in the specified format

Permission Management Best Practices

Principle of Least Privilege

  1. Grant Minimum Required Access - Users should only have access to resources and actions necessary for their job function
  2. Use Custom Roles - Create specific roles for different job functions rather than using generic high-privilege roles
  3. Regular Reviews - Periodically review user permissions and remove unnecessary access
  4. Temporary Elevated Access - For temporary needs, grant access for a limited time and revoke afterwards

Role Design

  1. Functional Roles - Design roles based on job functions (e.g., “Operator”, “Maintenance Engineer”, “Analyst”)
  2. Separate Administration - Keep administrative roles separate from operational roles
  3. Customer Isolation - Ensure customer users cannot access other customers’ data
  4. Document Roles - Maintain documentation of each role’s purpose and permissions

User Management

  1. Onboarding Process - Establish a standard process for creating user accounts with appropriate roles
  2. Offboarding Process - Promptly disable or delete accounts for departing users
  3. Account Review - Regularly review active accounts and remove unused ones
  4. Strong Authentication - Enforce strong passwords and two-factor authentication

Compliance and Monitoring

Compliance Requirements

Audit logs help meet various compliance requirements:

GDPR Compliance

  • Track access to personal data
  • Log data modifications and deletions
  • Maintain records of data subject requests
  • Demonstrate accountability

ISO 27001

  • Monitor security events
  • Track privileged user actions
  • Maintain access control records
  • Support incident investigation

Industry-Specific Standards

  • Healthcare (HIPAA) - Track access to protected health information
  • Financial Services - Monitor transaction and data access
  • Manufacturing (IEC 62443) - Log industrial control system changes

Monitoring and Alerting

Security Monitoring

Monitor audit logs for security-relevant events:

  1. Failed Authentication Attempts - Multiple failures may indicate brute-force attacks
  2. Privilege Escalation - Unexpected role or permission changes
  3. Unusual Activity - Actions outside normal patterns (time, location, volume)
  4. Critical Changes - Modifications to security settings or user accounts
  5. Data Exfiltration - Large data exports or unusual access patterns

Alert Configuration

Configure Pipeline rules to generate alerts based on audit log events:

  1. Create a rule chain that processes audit log events
  2. Define conditions for alerting (e.g., 5 failed logins in 10 minutes)
  3. Configure notification delivery (email, Slack, SMS)
  4. Set up escalation procedures for critical alerts

Report Generation

Generate regular reports from audit logs for:

  • Compliance Audits - Demonstrate adherence to policies and regulations
  • Security Reviews - Identify potential security issues
  • User Activity Reports - Track user behaviour and productivity
  • Resource Usage - Understand how platform resources are being utilised

See Creating Reports for detailed report configuration.

Troubleshooting Access Issues

User Cannot Access Resource

Problem: User reports they cannot view or modify a resource

Solutions:

  1. Verify user’s role has appropriate permissions
  2. Check if resource is assigned to user’s customer (if applicable)
  3. Confirm resource ownership allows access
  4. Review any resource-specific sharing settings
  5. Check audit logs for denied access attempts

Missing Audit Log Entries

Problem: Expected actions are not appearing in audit logs

Solutions:

  1. Verify audit logging is enabled for the entity type
  2. Check logging level configuration (OFF/W/RW)
  3. Confirm system time is correct
  4. Review partition settings if logs are very old
  5. Check external sink configuration if applicable

Permission Changes Not Taking Effect

Problem: User permission changes don’t seem to apply

Solutions:

  1. Ensure changes were saved correctly
  2. Ask user to log out and log back in
  3. Check for JWT token expiration settings
  4. Verify role assignment is correct
  5. Clear browser cache if using web interface

Security Recommendations

Access Control

  1. Implement Least Privilege - Only grant necessary permissions
  2. Regular Audits - Review user access quarterly
  3. Segregation of Duties - Separate administrative and operational roles
  4. Multi-Tenancy - Use customer assignments to isolate data
  5. Strong Authentication - Require 2FA for administrative accounts

Audit Logging

  1. Enable Comprehensive Logging - Log both read and write operations for sensitive entities
  2. Protect Log Integrity - Use external log sinks for tamper-proof storage
  3. Regular Review - Establish processes for reviewing audit logs
  4. Retention Policies - Define and implement appropriate log retention periods
  5. Alert on Critical Events - Configure real-time alerts for security events

Monitoring

  1. Establish Baselines - Understand normal user behaviour patterns
  2. Anomaly Detection - Use AI/ML to identify unusual activities
  3. Incident Response - Define procedures for investigating security events
  4. Documentation - Maintain records of security policies and procedures
  5. Regular Testing - Periodically test access controls and monitoring systems

Integration with Other Systems

SIEM Integration

Integrate IndustryOS audit logs with Security Information and Event Management (SIEM) systems:

  1. Configure external log sink to send logs to SIEM
  2. Map IndustryOS audit events to SIEM event taxonomy
  3. Configure correlation rules in SIEM
  4. Set up unified dashboards and alerts

Identity Provider Integration

Integrate with enterprise identity providers:

  1. Configure OAuth 2.0 or SAML integration
  2. Map identity provider roles to IndustryOS roles
  3. Enable automatic user provisioning
  4. Configure attribute synchronisation

See User Authentication for detailed OAuth configuration.

Next Steps