Objective

To demonstrate the tools and resources available for configuring secure application access and development spaces

Purpose

Infrastructure or related administrators will be able to learn through this tutorial how to:

• Create namespaces for projects
• List authorized users for namespaces
• Designate access permissions by user
• Invite users to namespaces
• Revoke user access to namespaces
• Change user privileges

Tutorial Overview

This tutorial is a task-oriented guide to common user and namespace administration activities necessary to operate in the Vantiq system. It assumes that the Vantiq server is running and a Vantiq organization has been configured to allow the organization administrator to login. This tutorial is intended to be used by organization and namespace administrators.

All lessons make use of the Vantiq IDE, Vantiq’s web-based developer toolset. The IDE has two modes of operation, Development, and Operations, each of which can have multiple projects.

The first three tasks involve adding new users to a Vantiq organization, so please make sure you are logged in as Organization Administrator for those tasks. Subsequent tasks require administrative access in the namespace for which the task is targeted.

Concepts and Terminology

A Vantiq namespace defines an isolated environment for users of the Vantiq system. Each namespace guarantees separation of Projects, Apps, Collaboration Types and other Vantiq resources from all other namespaces.

From the perspective of a Vantiq user, there are three different relationships the user can have to a namespaces:

• Home Namespace: this is the namespace in which the user is defined. A user has only one home namespace. Deleting a user’s home namespace will delete the user as well.
• Authorized Namespace: a user can optionally be authorized to have access to one or more additional namespaces besides their home namespace. The namespace administrator grants a user access by invitation and by doing so also specifies the level of privilege (e.g. Administrator, Developer or User).
• Default Namespace: the namespace in which the user is placed at login time. The user may then select a new default namespace if that user has multiple authorized namespaces.

For this tutorial, it is helpful to think about three categories of namespaces:

• Organization Namespace: this is the root namespace for a Vantiq organization. It exists to hold organization-wide Vantiq resources, such as the users who are part of the organization and other resources that have meaning across the entire organization.
• Developer Namespace: this is a namespace used by a Vantiq developer to hold the application resources that are under development. The namespace’s collection of resources is loosely referred to as a Vantiq application.
• Application Namespace: this is a namespace used by the organization to hold the resources of a deployed Vantiq application. If needed, new users can be created specific to the application, homed in the application namespace. But new namespaces cannot be created while in an application namespace.

When creating a new user in a given namespace, there are three common namespace privileges from which to select:

• Admin: an Administrator has the ability to create, modify and delete Vantiq resources within the namespace. An organization administrator has the additional ability to create new namespaces and users.
• Developer: a Developer is a special privilege level and may only be created in the organization namespace. Developers may create new namespaces for their development projects and may grant existing users access to those namespaces. However, Developers may not create new users. This privilege usually shows up as Developer in the privilege pick-list, but when in an organization namespace, it will show as User (Developer).
• User: a User has the ability to view but not create, modify or delete Vantiq resources within the namespace.

The IDE allows the selection of another privilege level, Custom, which requires the specification of Vantiq profiles. This privilege level is outside the scope of this tutorial.

Note: Developers can create resources in namespaces in which they are Developer, but not in namespaces where their privilege is User (Developer). For example, a User (Developer) cannot create / update projects.

Also, Namespace Admin privilege only exists in Application Namespaces.

Task 1: Adding a New Administrator

The Vantiq organization administrator has the ability to add additional administrators to the organization. To add a new user with administrator capabilities to the organization use the Administer button to select Users:

Use the Create New icon button (small plus sign in a circle at the top, right of the Users pane) to create the new user:

Use the Privileges button to select Organization Admin from the Edit Namespace Privileges dialog:

Use the OK button to save the authorization parameters. Creating a new user involves sending an invitation either via email or SMS. Use the Invite Destination and Invite Source fields to select how to deliver that invitation. The most convenient method is via email. Enter the email address of the person to invite in the Invite Destination and select GenericEmailSender as the Invite Source.

Use the Save Changes icon button (down arrow at the top, right of the User: New User pane) to send the invitation.

The recipient of the invitation must follow the link provided in the invitation text to authenticate. Successful authentication will create the new user in the Vantiq system and allow that user to log in as an administrator for the organization.

Task 2: Adding a New Developer

As previously described, a Vantiq user assigned a Developer privilege level may create and administer new namespaces within the organization but otherwise has only read-only privilege in the organization namespace.

To add a new developer, follow the instructions from the previous task, Adding a New Administrator, but select User (Developer) from the Privileges pull-down list in the Edit Namespace Privileges dialog.

Task 3: Adding a New User

As previously described, a Vantiq user assigned a User privilege level has the ability to view but not create, modify or delete resources within the organization namespace. However, it is also the case that the same Vantiq user may be assigned an Admin privilege level in namespaces created in the organization. (This case is described in a following task.) Such a user is typically assigned Admin privilege level to administer an Application Namespace, as previously described.

To add a new standard user, follow the instructions from the previous task, Adding a New Administrator, but select User from the Privileges pull-down list in the Edit Namespace Privileges dialog.

Task 4: Creating a Developer Namespace

As previously described, a Developer Namespace is a namespace used by a Vantiq developer to hold the resources that are under development. The namespace’s collection of resources is loosely referred to as a Vantiq application.

The first step in creating a Developer Namespace is to have an organization administrator create a Vantiq user assigned Developer privilege level. Follow the steps in Task 2, selecting User (Developer) from the Privileges pull-down list.

Once the new developer has accepted the invitation and logs in to the Vantiq system, the developer then creates the developer namespace. Use the Administer button to select Namespaces:

Use the Create New icon button (small plus sign in a circle at the top, right of the Namespaces pane) to create the new namespace:

In this example, the developer is creating the “SensorDevelopment” namespace. Use the Save Changes icon button (down arrow at the top, right of the Namespace: New Namespace pane) to create the new namespace.

Once the namespace is created, the developer will likely want to switch to using the new namespace. To switch namespaces, tap the namespace name found at the top, right of the IDE title bar, next to your username; in this case the namespace name is neworg:

Clicking on neworg will display the Change Namespace dialog:

Use the SensorDevelopment link to switch into the newly created namespace. Note this will cause the IDE to reload and may require the user to reauthenticate since the new namespace will have its own set of Vantiq resources.

Task 5: Creating an Application Namespace

As previously described, an Application Namespace is a namespace used by the organization to hold the resources of a deployed Vantiq application. An Application Namespace should be created by an organization namespace administrator (rather than a developer) since the administrator can invite both new and existing Vantiq users into the namespace.

Use the Administer button to select Namespaces:

Use the Create New icon button (small plus sign in a circle at the top, right of the Namespaces pane) to create the new namespace:

In this example, the administrator is creating the “SensorApp” namespace.

The administrator must then choose to either self-assign the administrator role of the new namespace or to assign the administrator role to another new or existing Vantiq user.

• When self-assigning, simply check the Make Me The Administrator checkbox.
• When delegating the administrator role to another new or existing Vantiq user, this involves sending an invitation either via email or SMS. Use the Invite Destination and Invite Source fields to select how to deliver that invitation. The most convenient method is via email. Enter the email address of the person to invite in the Invite Destination and select GenericEmailSender as the Invite Source. To send an invitation via SMS, you’ll have to configure an SMS Source before inviting the user.

Use the Save Changes icon button (down arrow at the top, right of the Namespace: New Namespace pane) to create the new namespace.

Task 6: Inviting Users to a Namespace

Once a namespace has been created by either an organization administrator or a developer, that namespace’s administrator may authorize other users to use that namespace. If the namespace is a Developer namespace, only existing users may be authorized. If the namespace is an Organization or Application namespace, both new and existing users may be authorized.

To authorize a user to use the existing namespace, first use the Administer button to select Namespaces:

then tap the target namespace link to display the Namespace Properties pane:

then tap the Manage Authorizations link to display the Edit Authorized Users dialog:

then tap the Authorize User button to display the Send Invite dialog:

As previously described, use the Invite Destination and Invite Source fields to send the invitation. Use the Privileges pull-down list to select the privilege level the user is given when using the namespace. Finally, use the Send Invite button to send the invitation.

Task 7: Revoking a User’s Access to a Namespace

The administrator of a namespace may wish to revoke a user’s access to the namespace for any reason. To revoke access, first use the Administer button to select Namespaces:

then tap the target namespace link to display the Namespace Properties pane:

then tap the Manage Authorizations link to display the Edit Authorized Users dialog:

Find the name of the user to revoke then use the Revoke Access icon button in the Actions menu to finish the revocation process.

Task 8: Changing a User’s Privilege Level for a Namespace

The administrator of a namespace may wish to change a user’s privilege level for the namespace. To change the privilege level, first use the Administer button to select Users:

then tap the target user link to display the User pane:

then use the Privileges button to select the new privilege level from the Edit Namespace Authorizations dialog:

Use the OK button to save the new user privileges, then use the Save Changes icon button (down arrow at the top, right of the User: username pane) to save the user parameters.

Conclusion:

Organization administrators should now feel comfortable with Vantiq’s secure and easy separation of applications and their development resources by being able to institute the following:

• Inviting users to namespaces
• Setting or revoking user privileges in namespaces
• Creating new namespaces