Security

The ClearBlade Platform has multiple levels of Accounts with each level having different scopes:

2 types of accounts fall under System Level Accounts:

The user or device can have the following CRUD access capabilities:

  • Code
  • Collections
  • Adapters
  • Portals
  • Roles
  • Users
  • Devices
  • Edges
  • Message

    User Account

Scope: System-Level

This is an account for a user and requires using an e-mail account as a primary method for identification. A user in a system has system-level access. The user or device can have the following capabilities:

  • CRUD Access for Code, Collections, Adapters, Portals, Roles, Users, Devices, Edges, Message

User Authentication

The following are required for a User to authenticate:

Key Value Example
Username E-mail of user example@clearblade.com
Password Password SX93f7f+
System Key Unique autogenerated key for your system bd97e7a40bdcc597baf6adfc867e
System Secret Secret value for your IoT System BD97E7A40BC0B587BCAFFFA9A005

Device Account

Scope: System-Level

This is an account for a machine enabling M2M (Machine-to-Machine) communication. In place of an e-mail account, a device has a device name that unique within a given System.

Device Authentication

The following are required for a Device to authenticate:

Key Value Example
Device Name E-mail of user example@clearblade.com
Device Key Single Key, Rotating Key, or Certificate k9IOtxWPEWVOyJ+rt1jvNYDg
System Key Unique autogenerated key for your system bd97e7a40bdcc597baf6adfc867e
System Secret Secret value for your IoT System BD97E7A40BC0B587BCAFFFA9A005

Service Account

A Service Account is a dedicated account with unique token attributes. The token is autogenerated by a developer, and the token has a custom time-to-live, set to infinite by default. This allows an adapter, a program, or an integration to connect with an appropriately token lifecycle. Both User and Device accounts can be configured as service accounts.

Mark the Service Account? box when adding or editing a user or device to create the service account. The token should appear in the user or device grid.

System-Level Authentication

Authentication is built upon an OAuth 2 model. Upon providing user or device credentials, a token is generated for use with subsequent requests.

Protocols

Authentication is available via

System Level Credentials

ClearBlade Platform is multi-tenanted, meaning there are more than one IoT Systems running in a given platform. As a result, all authentication requires:

Key Value Example
System Key Unique autogenerated key for your system bd97e7a40bdcc597baf6adfc867e
System Secret Secret value for your IoT System BD97E7A40BC0B587BCAFFFA9A005

JWT Tokens

When a user/developer goes through the authentication process, JWT tokens are returned as a default token.

Authentication Override

In order to support integrations with a pre-existing identify management system, Authentication Override allows for custom logic to define whether or not a user should be granted an OAuth token.

System Level Authorization

Role-based authorization is available for all user and device accounts. Permissions are applied to roles, rather than directly to a user or device. Each user and device can have multiple roles.

Roles

A developer assigns permissions to a role for each of the following assets:

  • Code
  • Collections
  • Adapters
  • Portals
  • Roles
  • Users
  • Devices
  • Edges
  • Messages

Each role has CRUD permissions for these assets.

For example, an Administrator role may have CRUD access to a code service called ‘EnablePremiumFeatures’ that is not accessible by an Authenticated user.

A developer can create any number of custom roles.

Note: If there is a problem accessing certain assets or performing functions, make sure the role as permissions

Default Roles

There are three default roles that have special permissions:

Role Behavior
Authenticated All new users and devices are auto-assigned this role
Anonymous All anonymous users are auto-assigned this role
Administrator No one is auto-assigned. It is an empty, customizable role

Sessions

There is a log of active sessions to keep track of users and devices. Users are tracked with User IDs and devices are tracked with device keys. The log also includes a timestamp of when the session token is issued.

Refresh Tokens

Refresh tokens give new access tokens without a username and password. Their expiry is twice the access token expiry. If your instance is set to infinite expiry for user/device/developer tokens, refresh tokens become unavailable for security purposes.

Refresh Tokens Workflow

Anonymous Session

This feature allows users to set a separate token TTL for anon tokens. Users can either set a predefined value as the anon token TTL or set it ‘infinite’.

Developer Account

Scope: Developer Account

A developer-level account has one or more systems on an instance of ClearBlade platform. This account has the following capabilities: - Modify system and its assets - Modify list of developer collaborators who can modify system - Update one’s own password - Create Support Tickets

Now, let’s address your curiosity by answering the following:
> How to become a developer
> Authentication for developer

How to become a developer?

A normal developer working on https://platform.clearblade.com can create a free account by signing up without any registration key. A ClearBlade customer working on their own instance requires the user to know the Registration Key for that instance in order to signup and create an account.

Authentication for Developer

A user can be authenticated as a developer by

  • Logging into the web console, such as platform.clearblade.com.
  • Using REST API

Admin Account

Scope: Instance Level

A developer account can be granted admin level access, with the following additional capabilities atop Developer Account:

  • Add/Remove developers for a system
  • Update a developers’ password
  • Update Owner of a System
  • Enable/Disable a System
  • Access to a system’s analytics
  • Update the license key of the instance
  • Update Admin Account for an instance

Now, let’s address your curiosity by answering the following:
> How to become an Admin?
> Authentication for Admin

How to become an Admin?

A developer working on https://platform.clearblade.com cannot get admin-level access. Though, a ClearBlade customer can submit a support desk ticket for admin-level access to their respective instance. Also, if an admin exists for that instance, then the respective admin can grant any developer admin-level access.

Authentication for Admin

Authentication is same as Developer Account

FAQ

  • How do I add a developer to a system?

    1. Click on “Info” in the side navigation
    2. Choose “System Settings”
    3. Click the “Access” Tab
    4. Click the “+” icon next to “Developers”
    5. Type in the developer’s valid e-mail address
    6. Click “Update”
  • Can users manage roles and change passwords of other users?

Yes - in version 8.0.0 and newer. Users with a role configuration, which includes User Management Permissions, can perform this task.

Resetting the password for the current user also resets the UserToken to prevent the user to make subsequent requests until the ClearBlade instance is re-initialized with a new user token that can then get set for the user within the portal.

  • If a user has an MQTT client connected with a device token and that device token expires while the connection is open, what is the expected behavior?

The client stays connected.

  • What if the user attempts to publish with the open connection with an expired token?

If they already have an open MQTT connection, the publish should succeed. The platform only checks the token on the connect packet.