NEW
Kaa Documentation
IAM Actions
What Are Actions in Kaa?
An action is a specific permission that defines what a resource is allowed (or denied) to do.
Actions consist of at least two tokens separated by colons (:).
By convention:
- The first token designates the type of resource.
- The last token identifies the operation type (typically
create,read,update, ordelete).
Examples
endpoint:read— grants read access to individual endpoint resources.application:endpoint:create— allows creating endpoints within a specific application.
Why Use Actions?
Actions are used in [Policies][policy], where they specify what permissions apply to which resources.
Once defined, a policy can be assigned to a user or group to manage access.
What Actions Are Available?
There are several resource types for which access can be managed using actions.
Below is a summary of the existing actions.
Endpoint Actions
Endpoint actions are used to manage access to Kaa endpoints.
| Endpoint Action | Description |
|---|---|
endpoint:read |
Read access to endpoint and its associated data: tokens, metadata attributes, configuration, time-series, etc. |
endpoint:update |
Write access to endpoint and its associated data. |
endpoint:delete |
Endpoint delete operation. |
endpoint:policy:read |
Grants permission to view access policies assigned to an endpoint. |
endpoint:policy:update |
Allows modifying access policies associated with an endpoint. |
Application Actions
Application actions are used to manage access to Kaa applications.
| Application Action | Description |
|---|---|
application:read |
Read access to application, its associated metadata, and service instance configurations. |
application:update |
Write access to application, its associated metadata, and service instance configurations. |
application:delete |
Application delete operation. |
application:endpoint:create |
Creation of a new Kaa endpoint in a given application. |
application:endpoints-metadata-keys:read |
Read access to all existing endpoint metadata attribute keys in a given application. |
application:endpoint-command:read |
Read access to all existing endpoint commands in a given application. |
application:timeseries-config:read |
Read access to all existing endpoint time-series configurations in a given application. |
application:endpoint-config:read |
Read access to default endpoint configuration in a given application. |
application:endpoint-config:update |
Write access to default endpoint configuration in a given application. |
application:endpoint-config:delete |
Delete operation on default endpoint configuration in a given application. |
application:software:read |
Read access to over-the-air software definitions in a given application. |
application:software:update |
Write access to over-the-air software definitions in a given application. |
application:software:delete |
Delete operation on over-the-air software definitions in a given application. |
application:ttn-app-integration:create |
Creation of a new integration between TTN and Kaa applications. |
application:endpoint-filter:read |
Read access to endpoint filters in an application. |
application:endpoint-filter:create |
Create endpoint filters for an application. |
application:endpoint-filter:delete |
Delete endpoint filters in an application. |
application:endpoint-filter:update |
Update endpoint filters in an application. |
application:timeseries-config:delete |
Delete timeseries configuration in an application. |
application:policy:read |
Read access to policies in an application. |
application:policy:update |
Update access to policies in an application. |
Dashboard Actions
Dashboard actions manage access to web dashboards.
| Dashboard Action | Description |
|---|---|
dashboard:read |
Grants view access to a specific web dashboard. |
dashboard:create |
Grants permission to create new dashboards. |
Tenant Actions
Tenant actions are used to manage tenant-wide operations and resources.
| Tenant Action | Description |
|---|---|
tenant:application:create |
Grants permission to create a new Kaa application. |
tenant:basic-credentials:create |
Allows creation of new basic client credentials. |
tenant:basic-credentials:read |
Grants read access to basic client credentials. |
tenant:basic-credentials:update |
Allows management of basic client credentials. |
tenant:x509-credentials:create |
Allows creation of new X.509 client credentials. |
tenant:x509-credentials:read |
Grants read access to X.509 client credentials. |
tenant:x509-credentials:update |
Allows management of X.509 client credentials. |
tenant:notification-recipient:create |
Grants permission to create a notification recipient. |
tenant:notification-recipient:read |
Grants read access to notification recipients. |
tenant:notification-recipient:update |
Grants permission to update notification recipients. |
tenant:ttn-app-integration:create |
Displays the TTN integration creation option in the UI. |
tenant:ttn-app-integration:read |
Displays the TTN integration dashboard in the UI. |
tenant:configuration:read |
Read access to tenant configuration. |
tenant:configuration:update |
Update access to tenant configuration. |
tenant:application:read |
Read access to tenant applications. |
tenant:branding:update |
Access to change Kaa UI themes and general look. |
tenant:files:update |
Update access to tenant files. |
tenant:email-template:read |
Read access to email templates. |
tenant:email-template:update |
Update access to email templates. |
Rule Engine Actions (Kaa Scope)
These actions manage access to Rule Engine features.
| Rule Engine Action | Description |
|---|---|
rule:read |
Read access to Rules. |
rule:update |
Write access to Rule. |
rule:delete |
Rule delete operation. |
rule:execute |
Access to the execution of Rule. |
rule-execution-action:read |
Read access to Rule Execution Action. |
rule-execution-action:update |
Write access to Rule Execution Action. |
rule-execution-action:delete |
Rule Execution Action delete operation. |
Rule Engine Actions (Tenant Scope)
Some Rule Engine features require tenant-wide permissions for these actions.
| Rule Engine Action | Description |
|---|---|
tenant:rule:create |
Grants permission to create a Rule. |
tenant:rule-execution-action:create |
Grants permission to create a Rule Execution Action. |
tenant:command-invocation-action:create |
Grants permission to create a Command Invocation Action. |
tenant:metadata-update-action:create |
Grants permission to create a Metadata Update Action. |
tenant:webhook-action:create |
Grants permission to create a Webhook Action. |
tenant:endpoint-metadata-updated-trigger:create |
Grants permission to create an Endpoint Metadata Updated Trigger. |
tenant:action:read |
Read access to tenant actions. |
tenant:data-sample-action:create |
Create data sample actions in Rule Engine. |
tenant:time-series-action:create |
Create time-series actions in Rule Engine. |
tenant:alert-activation-action:create |
Create alert activation actions in Rule Engine. |
tenant:alert-resolution-action:create |
Create alert resolution actions in Rule Engine. |
tenant:alert:read |
Read access to tenant alerts. |
tenant:send-email-action:create |
Create send email actions in Rule Engine. |
tenant:rule-execution:trace:read |
Read access to rule execution traces. |
tenant:endpoint-time-series-updated-trigger:create |
Create triggers for endpoint time-series updates. |
tenant:endpoint-data-samples-received-trigger:create |
Create triggers for incoming data samples. |
tenant:cron-trigger:create |
Create scheduled triggers for recurring actions. |
tenant:endpoint-command-result-received-trigger:create |
Create triggers for command result reception. |
tenant:endpoint-command-dispatched-trigger:create |
Create triggers for dispatched commands. |
tenant:alert-lifecycle-event-trigger:create |
Create alert lifecycle event triggers. |
tenant:rule-secret:create |
Create secrets used in Rule Engine API. |
UI Actions
UI actions are used to manage access to specific parts of the user interface in the Kaa platform.
| UI Action | Description |
|---|---|
ui:device:manage |
Grants UI access to Device Management -> Devices and Device Actions pages. |
ui:application:manage |
Grants UI access to Device Management -> Applications page. |
ui:credentials:manage |
Grants UI access to Device Management -> Credentials page. |
ui:integration:manage |
Grants UI access to Device Management -> LoRaWAN Integration page. |
ui:device-action:manage |
Grants UI access to Device Management -> Device Actions page. |
ui:rule:manage |
Grants UI access to Rule Engine main page. |
ui:rule-action:manage |
Grants UI access to Rules -> Action tab. |
ui:rule-trigger:manage |
Grants UI access to Rules -> Trigger tab. |
ui:dashboard:manage |
Grants UI access to the Dashboards page. |
ui:rule-list:manage |
Grants UI access to Rules -> Rules tab. |
ui:transformation:manage |
Grants UI access to Data Transformation tools. |
ui:settings:manage |
Grants UI access to system Settings. |
ui:analytics:manage |
Grants UI access to Analytics tools. |
ui:alert:manage |
Grants UI access to Alert Management tools. |
ui:branding:manage |
Grants UI access to the Branding page for theme customization of Kaa’s general look. |
ui:file:manage |
Grants UI access to Kaa’s MinIO Object Storage interface. |
ui:custom-widget:manage |
Grants UI access to the Custom Widgets page. |
ui:public-resource:manage |
Grants UI access to public resources in Kaa Dashboards. |
ui:dashboard-permissions:manage |
Grants UI access to manage permissions within widgets in Kaa dashboards. |
ui:view-help:manage |
Grants UI access to the Help page. |
ui:user-management:manage |
Grants UI access to IAM (Identity and Access Management)tools. |
ui:asset:manage |
Grants UI access to Asset Management tools. |
ui:reports:manage |
Grants UI access to the Reporting page. |
ui:email-template:manage |
Grants UI access to Settings -> Email Template. |
ui:tenant:manage |
Grants access to tenant-level settings (for self-hosted Kaa instances only). |
IAMCore Actions
IAMCORE actions are used to manage access to IAM User Management features within the Kaa platform.
| IAM Action | Description |
|---|---|
iamcore:user:read |
Grants permission to view user details. |
iamcore:user:create |
Allows creation of new users. |
iamcore:user:update |
Allows updating existing user information. |
iamcore:user:delete |
Grants permission to delete users. |
iamcore:group:create |
Allows creation of groups and sub-groups. |
iamcore:group:update |
Grants permission to update groups and sub-groups. |
iamcore:group:delete |
Allows deletion of groups. |
iamcore:group:user:read |
Grants permission to view users within a group. |
iamcore:group:user:add |
Allows adding users to a group. |
iamcore:user:group:add |
Allows assigning a user to a group. |
iamcore:group:user:remove |
Allows removing users from a group. |
iamcore:user:group:remove |
Allows removing a user from a group. |
iamcore:group:me:add |
Allows a user to add themselves to a group. |
iamcore:group:me:remove |
Allows a user to remove themselves from a group. |
iamcore:policy:* |
Grants access to view all tenant-wide policies. |
iamcore:policy:read |
Allows reading policies associated with the current user. |
iamcore:policy:create |
Allows creation of new policies for the current user. |
iamcore:policy:update |
Grants permission to update existing policies for the current user. |
iamcore:policy:delete |
Allows deletion of policies. |
iamcore:policy:attach |
Grants permission to attach policies to users or groups. |
iamcore:policy:detach |
Grants permission to detach policies from users or groups. |
iamcore:user:policy:attach |
Allows attaching policies to users in bulk. |
iamcore:user:policy:detach |
Allows detaching policies from users in bulk. |
iamcore:group:policy:attach |
Allows attaching policies to groups in bulk. |
iamcore:group:policy:detach |
Allows detaching policies from groups in bulk. |
iamcore:user:policy:read |
Grants permission to read user resource policies. |
iamcore:user:policy:update |
Allows updating user resource policies. |
iamcore:group:policy:read |
Grants permission to read group resource policies. |
iamcore:group:policy:update |
Allows updating group resource policies. |