Organize User/Usergroups/Clients and access management

Tutorial: Organize User/Usergroups/Clients and access management

The RSP user administration allows multiple users to work simultaneously with and in the portal.

As the portal offers a wide range of functions and applications, it is sensible to assign individual users individual rights.

An employee who, for example, monitors the triggering or the operating data of a system, does not necessarily need access to the connection, Firewall or Internet settings for the device connected to the system

A user is assigned to a user group. Access rights for functions, devices, etc. are specified in the user group.


1. Client administration

2. User permissions

3. User Administration

4. Project access

5. Restrict access to LAN components

6. Restrict access to components connected to the router

 


1. Client administration

You can also manage individual clients with strict separation and operate a closed user administration in each client.
The individual clients can be administered separately without one client knowing of the existence of another client (incl. their projects, devices, visualizations, etc.).


Notice

Irrespective of the structure or configuration of the user/access administration, the account administrator always has unrestricted access to all the clients, projects and devices.

2. User permissions

A user receives his rights via the assignment to a user group

  1. Directly via the assignment to a user group – Access rights = "Global user group"
  2. Indirectly via the intermediate stage Client => User group, which is available in the selected client – Access rights= "Special Rights"
  3. By handing down the access rights of another user – Access rights = "Inherit from User"

Example:

User 1 is directly assigned to User Group 1. By contrast, User Group 1 is available to All clients. This means that User 1 is also available in all clients with the rights of User Group 1.

User 2 is assigned to User Group 1 via "Special Rights" through Client 3. This means that User 2 is only available with the rights from User Group 1 in Client 3.

User 3 receives their access rights by "handing down" from User 1. I.e.: User 3 has the same access rights as User 1.

3. User Administration

This video shows the User Administration and Access Control as well as the usage of Clients and creation of User Groups in this context.

4. Project access

If a user needs access to a specific project, the respective user or the client belongs to the user must be set in the project under the "Access" tab.

5. Restrict access to LAN components

There is also the option of restricting access to certain LAN network components. For this you need the license "Advanced user access control" (item no. 7.100.006.00.00).
To restrict the access, please proceed as follows:

  1. Open the respective device "Administration".
  2. Under "System" click on the "Edit settings" button.
  3. Check the box next to "Restricted access" to restrict access to the LAN components and confirm these settings with "Save".
  4. Now create a new "Network Component" under "Interfaces" -> "LAN" (with the + symbol, top right) and configure it with the respective IP address. If you have already created the respective network component, continue with step 5.
  5. In the settings of the network components you have to select under the tab "Access" which users or clients are allowed to access this network component. Device Access is restricted in the screenshot below. Only selected users/clients are allowed to access:

    If you have several network components, you have to create each network component individually and configure the access rights accordingly, otherwise the respective network component can not be accessed.

6. Restrict access to components connected to the router

This how-to describes how access to certain components via the VPN connection can be restricted by the mbCONNECT24 portal.


Notice

In order to make the following component settings, the license "User/CLient component setting (Firewall behind device)" is required:

Initial situation 1 - Blacklist

If a VPN connection to the router is established, the user has access to all connected components.

Restrict access for individual users

In the initial situation 1, access to individual components can be restricted, for example by creating this component under LAN and entering a user in the "Access" menu who then no longer has access to this component:

As described in the text, everyone can access this component except the stored users. If this user connects to the router, he can no longer reach this component from a network point of view.

Initial situation 2 - Whitelist

If a VPN connection to the router is established, the user has no access to connected components.

Share access for individual users

In the initial situation 2, access to individual components can be enabled by creating this component under LAN, for example, and entering a user in the "Access" menu who then has access to this component:

Only users registered here can then reach this component, all other components cannot be reached network-wise. A ping leads to nothing.

 

Revision: V1.0