Kaa User Management Policies

• Overview
  • User Roles
• Admin
• Manager Account
  • Manager’s Policies
• Developer Account
  • Developer’s Resources
  • Developer’s Policies
• Customer Account
• Customer’s Policies
• What’s Next?

Overview

This tutorial provides a practical example of how to use policies to build a structured user hierarchy in Kaa.

User Roles

• Admin – Full access across the entire infrastructure.
• Manager – Can manage resources and users within their own scope.
• Developer – Can work with resources assigned by the manager and assign them to clients.
• Client – Has read-only access to assigned resources.

Admin

Log into your Kaa account and go to User Management -> User.

You’ll see one default user account. That’s your Admin account (e.g., testadmin). From here we’ll start distributing access.

Manager Account

Managers need permissions to create resources, manage users, and assign policies within their own scope.

To create manager:

1. While logged in as Admin, create a manager user (for example, manager1).
2. Set the manager user directory to /manager.

Manager’s Policies

1. Basic Policy for all Managers:
   First, let’s define the general access for all managers.
   Navigate to User Management -> Policies and click Add Policy.
   Name the policy manager-basic-access.
   Add a Statement, and click the JSON view tab and paste the JSON below, replacing <tenant-id> with your actual tenant ID.

        {
    "statements": [
        {
            "effect": "allow",
            "description": "UI access",
            "resources": [
                "irn:qs73c8osj0:kaa:<tenant-id>:*"
            ],
            "actions": [
                "ui:*"
            ]
        },
        {
            "effect": "allow",
            "description": "Access to create it's own endpoints",
            "resources": [
                "irn:qs73c8osj0:kaa:<tenant-id>::endpoint/*"
            ],
            "actions": [
                "endpoint:create",
                "endpoint:delete",
                "endpoint:update"
            ]
        },
        {
            "effect": "allow",
            "description": "Allows creation of policies",
            "resources": [
                "irn:qs73c8osj0:iamcore:<tenant-id>::policy/*"
            ],
            "actions": [
                "iamcore:policy:*"
            ]
        },
        {
            "effect": "allow",
            "description": "Access to create applications",
            "resources": [
                "irn:qs73c8osj0:kaa:<tenant-id>::application/*",
                "irn:qs73c8osj0:kaa:<tenant-id>::tenant/system",
                "irn:qs73c8osj0:kaa:<tenant-id>::tenant-system/tenant-system"
            ],
            "actions": [
                "application:create",
                "tenant:application:create"
            ]
        }
    ]
   }
   

   

2. Policy for a Specific Manager
   Create a unique policy for each manager to keep their access isolated.

   • Name the policy something like manager1-resources.
   • As in step one (Basic Policy for all Managers), paste the JSON below, replace <tenant-id>. Also make sure the user directory path matches that manager’s directory.

        {
    "statements": [
        {
            "effect": "allow",
            "description": "Grants full access to users within manager1 hierarchy",
            "resources": [
                "irn:qs73c8osj0:iamcore:<tenant-id>::user/manager/manager1",
                "irn:qs73c8osj0:iamcore:<tenant-id>::user/manager/manager1/*"
            ],
            "actions": [
                "iamcore:user:*"
            ]
        }
    ]
   }
   

   After creating the policy, assign it to manager1. Then, log in to the manager1 account and verify that you can create applications and endpoints.

Take a quick look at what each policy is for.
Each one uses certain actions. You can check what those actions mean in this document.

Developer Account

Now let’s create a developer account.
Developers can create and manage devices assigned to them.

Use the Manager account to set up access.
Go to User Management -> Users and create at least one developer account (e.g., developer1).
Make sure the user directory for each developer is set to:
/manager/<managers_username>/developer

If the user directory is incorrect, account creation will fail due to permission restrictions.
That’s because the manager1-resources policy we created earlier only allows access to the /manager/manager1/* directory.

Developer’s Resources

As manager, create an application and add endpoints, so that we have something to work with and share with the developer.

Note: If you’re not familiar with endpoints and applications, check out the Getting Started Guide.

Developer’s Policies

1. Base Policy for Developer
   While logged in as the manager, go to User Management -> Policies -> Add Policy.
   In JSON view, paste the base policy code:

        {
    "statements": [
        {
            "effect": "allow",
            "description": "Full access to UI",
            "resources": [
                "irn:qs73c8osj0:kaa:<tenant-id>:*"
            ],
            "actions": [
                "ui:*"
            ]
        },
        {
            "effect": "allow",
            "description": "Access to create endpoints",
            "resources": [
                "irn:qs73c8osj0:kaa:<tenant-id>::endpoint/*"
            ],
            "actions": [
                "endpoint:*"
            ]
        },
        {
            "effect": "allow",
            "description": "Access to create policies",
            "resources": [
                "irn:qs73c8osj0:iamcore:<tenant-id>::policy/*"
            ],
            "actions": [
                "iamcore:policy:create",
                "iamcore:policy:read",
                "iamcore:policy:update",
                "iamcore:policy:user:attach",
                "iamcore:policy:user:detach"
            ]
        }
    ]
   }
   

2. Developer-Specific Policy
   In JSON view, paste the following and make sure to:

   • Replace <tenant-id>
   • Ensure userDirectory matches your developer path (/manager/manager1/developer/developer1)
   • Replace <application-id> with the ID of the application you created earlier. Read more about Application ID here.

        {
    "statements": [
        {
            "effect": "allow",
            "description": "Full access to the application",
            "resources": [
                "irn:qs73c8osj0:kaa:<tenant-id>::application/<application-id>"
            ],
            "actions": [
                "*"
            ]
        },
        {
            "effect": "allow",
            "description": "Full access to users within developer1 directory",
            "resources": [
                "irn:qs73c8osj0:iamcore:<tenant-id>::user/manager/manager1/developer/developer1",
                "irn:qs73c8osj0:iamcore:<tenant-id>::user/manager/manager1/developer/developer1/*"
            ],
            "actions": [
                "iamcore:user:*"
            ]
        }
    ]
   }
   

3. Assign both policies to the developer1 and log in with that account.

Customer Account

Customers will have read-only access to resources assigned by the developer.
We’ll create the customer account using the developer1 account.

Log in to the developer1 account, then go to User Management -> Users and create the customer1 account. The user directory path should be set to /manager/manager1/developer/developer1/customer/customer1 (according to the policies assigned to developer1).

Customer’s Policies

Customer policies are simple and involve resources created with developer1.
For policy creation, we’ll use the Visual Editor instead of the JSON view this time.

While logged into the developer1 account, create the following policies:

1. customer-basic-access Policy
   In the Visual Editor, add a statement:
   • Allow actions: ui:dashboard:manage, ui:device:manage
   • Resources: All resources

2. customer1-resources Policy
   Add two statements:

   a) Endpoint access

   • Allow action: endpoints:read
   • Resources: Select specific endpoints to share

   b) Application metadata access

   • Allow actions:
     • application:endpoints-metadata-keys:read
     • application:read
   • Resources: Select the application the endpoints belong to

   Save both policies and assign them to the customer.
   The customer will only have access to the specified endpoints and minimal UI functionality.

What’s Next?

You’ve now set up a User Management architecture using only policies. You can use the provided JSON examples to share or restrict resources as needed.

This approach is the most straightforward when you need to quickly build a user infrastructure. However, relying solely on policies is not always ideal.

One key limitation is that when a developer user creates a resource, they automatically gain access to it, while higher-level users (such as managers) do not.
This means developers might create resources that managers can’t see, which might not be the intended behavior.

To fix this, it’s recommended to use Resource Groups. In the next tutorial, we’ll build a similar infrastructure, but this time, with resource groups added to resolve this issue.