Skip to main content
Version: Next

Permissions

Role Based Permissions System

EAS uses a role based permission system. The system is made up of Permissions, Internal Roles, and External Roles. Internal Roles can be assigned a number of permissions to grant them the ability to perform actions against various resources. An External Role cannot be assigned permissions directly but can be assigned a number of Internal Roles which it will inherit permissions from. A request can provide a number of External Roles by name via its access token. A Request can only provide External Roles, it cannot provide Internal Roles or Permissions directly.

Default Roles

When the EAS database is initialised. The following Roles are created.

Default Internal Roles

Internal RolePermissions
MAP_VIEWER_INTERNALEWB:READ, OPPORTUNITIES:READ, LOCATION_SERVICE:READ
EWB_UPDATER_INTERNALEWB:UPDATE
STUDIES_CREATOR_INTERNALSTUDIES:READ, STUDIES:CREATE, STUDIES:DELETE
RUN_HOSTING_CAPACITY_INTERNALHC_WORK_PACKAGE:READ, HC_WORK_PACKAGE:CREATE, HC_WORK_PACKAGE:CANCEL, HC_WORK_PACKAGE:DIFF
EWB_ADMIN_INTERNALEWB:SWITCH, EWB:LOCK, EWB:UNLOCK
MODEL_EXPORTER_INTERNALHC_INPUT:READ,POWER_FACTORY_MODEL_EXPORT:READ, POWER_FACTORY_MODEL_EXPORT:CREATE, POWER_FACTORY_MODEL_EXPORT:DELETE, POWER_FACTORY_MODEL_EXPORT:UPDATE, POWER_FACTORY_EXPORT_TEMPLATE:READ, POWER_FACTORY_EXPORT_TEMPLATE:CREATE, POWER_FACTORY_EXPORT_TEMPLATE:DELETE, POWER_FACTORY_EXPORT_TEMPLATE:UPDATE, SINCAL_MODEL_EXPORT:READ, SINCAL_MODEL_EXPORT:CREATE, SINCAL_MODEL_EXPORT:DELETE, SINCAL_MODEL_EXPORT:UPDATE, SINCAL_EXPORT_TEMPLATE:READ, SINCAL_EXPORT_TEMPLATE:CREATE, SINCAL_EXPORT_TEMPLATE:DELETE, SINCAL_EXPORT_TEMPLATE:UPDATE
METRICS_VIEWER_INTERNALMETRICS:READ
ALLOW_ALL_INTERNALPOWER_FACTORY_EXPORT_TEMPLATE:READ, POWER_FACTORY_EXPORT_TEMPLATE:CREATE, POWER_FACTORY_EXPORT_TEMPLATE:UPDATE, POWER_FACTORY_EXPORT_TEMPLATE:DELETE, POWER_FACTORY_MODEL_EXPORT:CREATE, POWER_FACTORY_MODEL_EXPORT:READ, POWER_FACTORY_MODEL_EXPORT:UPDATE, POWER_FACTORY_MODEL_EXPORT:DELETE, SINCAL_MODEL_EXPORT:READ, SINCAL_MODEL_EXPORT:CREATE, SINCAL_MODEL_EXPORT:DELETE, SINCAL_MODEL_EXPORT:UPDATE, SINCAL_EXPORT_TEMPLATE:READ, SINCAL_EXPORT_TEMPLATE:CREATE, SINCAL_EXPORT_TEMPLATE:DELETE, SINCAL_EXPORT_TEMPLATE:UPDATE, STUDIES:READ, STUDIES:DELETE, STUDIES:CREATE, EWB:SWITCH, EWB:LOCK, EWB:UNLOCK, HC_WORK_PACKAGE:CREATE, HC_WORK_PACKAGE:READ, HC_WORK_PACKAGE:CANCEL, EWB:READ, METRICS:READ, SINCAL_EXPORTER_LOGS:READ, OPPORTUNITIES:READ, LOCATION_SERVICE:READ, INGESTOR:RUN, MACHINE_TOKEN:CREATE, HC_WORK_PACKAGE:UPDATE, SINCAL_GLOBAL_CONFIG:READ, SINCAL_GLOBAL_CONFIG:UPDATE
NETWORK_MODEL_EXECUTOR_INTERNALINGESTOR:RUN
MACHINE_TOKEN_CREATOR_INTERNALMACHINE_TOKEN:CREATE, MACHINE_TOKEN:READ
EWB_CUSTOMER_VIEWER_INTERNALEWB_CUSTOMER:READ
EWB_DIAGRAM_VIEWER_INTERNALEWB_DIAGRAM:READ

Default External Roles

External RoleInternal RolesOverview
SUPER_ADMINALLOW_ALL_INTERNALProvides complete access to all EAS functionality.
EWB_ADMINEWB_ADMIN_INTERNALThe ability to change the network model currently loaded in EWB.
TIMESERIES_MODELLERRUN_HOSTING_CAPACITY_INTERNALThe ability to start and stop Hosting Capacity work packages.
MODELLERMODEL_EXPORTER_INTERNALThe ability to export Power Factory and Sincal models.
DEVELOPERSTUDIES_CREATOR_INTERNALThe ability to create studies.
MAP_VIEWERMAP_VIEWER_INTERNALThe ability to retrieve any map data from EWB. The ability to retrieve "opportunity" data
EWB_UPDATEREWB_UPDATER_INTERNALThe ability to update EWB data.
METRICS_VIEWERMETRICS_VIEWER_INTERNALThe ability to retrieve any information from the Metrics Database.
NETWORK_MODEL_EXECUTORNETWORK_MODEL_EXECUTOR_INTERNALThe ability to trigger ingestion of a new CIM network model into the Energy Workbench.
INTEGRATION_ADMINMACHINE_TOKEN_CREATOR_INTERNALThe ability to create and view machine-to-machine tokens.
EWB_CUSTOMER_VIEWEREWB_CUSTOMER_VIEWER_INTERNALThe ability to retrieve data from EWB's customer service.
EWB_DIAGRAM_VIEWEREWB_DIAGRAM_VIEWER_INTERNALThe ability to retrieve data from EWB's diagram service.

Http REST Endpoints

PermissionRequired forProvided by default role
EWB:READapi/network/graphql, api/network/hierarchy, api/network/feeder-assets/{container}/{containerId}, api/network/assets/{assetId}, api/network/find/{search}, api/network/assets/by-location/{locationId}, api/network/trace/upstream/asset/{assetId}, api/network/assets/graphics/geo-json, api/energy/profiles/max-demand/{id}, api/energy/profiles/max-demand, api/energy/profiles/max-demand/combine , api/energy/profiles/min-demand/{id} , api/energy/profiles/profiles/range/{id}/from-date/{fromDate}/to-date/{toDate} , api/energy/profiles/weather/{id}/season/{season}/day/{day}/temperature/{temperature}/variance/{variance}, api/energy/analysis/summary, api/energy/analysis/ev/{chargingBlockKw}, api/map/tile/{z}/{x}/{y}SUPER_ADMIN, MAP_VIEWER
POWER_FACTORY_MODEL_EXPORT:READapi/power-factory-model/{id}SUPER_ADMIN, MODELLER
SINCAL_MODEL_EXPORT:READapi/sincal-model/{id}SUPER_ADMIN, MODELLER
SINCAL_EXPORTER_LOGS:READapi/sincal-model/{id}/logsSUPER_ADMIN

GraphQL Queries

The GraphQL API is served at /api/graphql. All GraphQL queries forwarded to the EWB server via api/network/graphql require EWB:READ permissions.

PermissionRequired forProvided by default role
EWB:READAll GraphQL queries forwarded to the EWB server via api/network/graphqlSUPER_ADMIN, MAP_VIEWER
EWB:LOCKlockNetworkModelDatabaseSUPER_ADMIN, EWB_ADMIN
EWB:SWITCHswitchNetworkModelDatabase, getNetworkModelsSUPER_ADMIN, EWB_ADMIN
EWB:UNLOCKunlockNetworkModelDatabaseSUPER_ADMIN, EWB_ADMIN
EWB_CUSTOMER:READAccessing the customer service via the EWB SDK.SUPER_ADMIN, EWB_CUSTOMER_VIEWER
EWB_DIAGRAM:READAccessing the diagram service via the EWB SDK.SUPER_ADMIN, EWB_DIAGRAM_VIEWER
HC_INPUT:READgetScenarioConfigurationsSUPER_ADMIN, MODELLER
HC_WORK_PACKAGE:CANCELcancelWorkPackageSUPER_ADMIN, TIMESERIES_MODELLER
HC_WORK_PACKAGE:CREATErunWorkPackageSUPER_ADMIN, TIMESERIES_MODELLER
HC_WORK_PACKAGE:DIFFgenerateNetworkPerformanceDiff, generateEnhancedNetworkPerformanceDiffSUPER_ADMIN, TIMESERIES_MODELLER
HC_WORK_PACKAGE:READgetWorkPackageById, getWorkPackageProgress, getWorkPackages, getWorkPackageTreeSUPER_ADMIN, TIMESERIES_MODELLER
HC_WORK_PACKAGE:UPDATEeditWorkPackageSUPER_ADMIN
INGESTOR:RUNexecuteIngestorSUPER_ADMIN
LOCATION_SERVICE:READgetOpportunities(identifiedObject location information), getOpportunityLocations(identifiedObject location information), getOpportunitiesForEquipment(identifiedObject location information), getOpportunity(identifiedObject location information), getDurationCurves(identifiedObject location information)SUPER_ADMIN, MAP_VIEWER
MACHINE_TOKEN:CREATEcreateMachineApiKeySUPER_ADMIN, INTEGRATION_ADMIN
MACHINE_TOKEN:READgetMachineTokensSUPER_ADMIN, INTEGRATION_ADMIN
METRICS:READgetAllJobs, getNewestJob, getSources, getMetricsSUPER_ADMIN, METRICS_VIEWER
OPPORTUNITIES:READgetOpportunities, getOpportunityLocations, getOpportunitiesForEquipment, getOpportunity, getDurationCurvesSUPER_ADMIN, MAP_VIEWER
POWER_FACTORY_MODEL_EXPORT:CREATEcreatePowerFactoryModelSUPER_ADMIN, MODELLER
POWER_FACTORY_MODEL_EXPORT:DELETEdeletePowerFactoryModelSUPER_ADMIN, MODELLER
POWER_FACTORY_MODEL_EXPORT:READpowerFactoryModelById, powerFactoryModelsByIds, pagedPowerFactoryModelsSUPER_ADMIN, MODELLER
POWER_FACTORY_EXPORT_TEMPLATE:CREATEcreatePowerFactoryModelTemplateSUPER_ADMIN, MODELLER
POWER_FACTORY_EXPORT_TEMPLATE:DELETEdeletePowerFactoryModelTemplateSUPER_ADMIN, MODELLER
POWER_FACTORY_EXPORT_TEMPLATE:READpowerFactoryModelTemplateById, powerFactoryModelTemplatesByIds, pagedPowerFactoryModelTemplatesSUPER_ADMIN, MODELLER
POWER_FACTORY_EXPORT_TEMPLATE:UPDATEupdatePowerFactoryModelTemplateSUPER_ADMIN, MODELLER
SINCAL_MODEL_EXPORT:CREATEcreateSincalModelSUPER_ADMIN, MODELLER
SINCAL_MODEL_EXPORT:DELETEdeleteSincalModelSUPER_ADMIN, MODELLER
SINCAL_MODEL_EXPORT:READsincalModelById, sincalModelsByIds, pagedSincalModelsSUPER_ADMIN, MODELLER
SINCAL_EXPORT_PRESET:CREATEcreateSincalModelPresetSUPER_ADMIN, MODELLER
SINCAL_EXPORT_PRESET:DELETEdeleteSincalModelPresetSUPER_ADMIN, MODELLER
SINCAL_EXPORT_PRESET:READsincalModelPresetById, sincalModelPresetsByIds, pagedSincalModelPresetsSUPER_ADMIN, MODELLER
SINCAL_EXPORT_PRESET:UPDATEupdateSincalModelPresetSUPER_ADMIN, MODELLER
SINCAL_GLOBAL_CONFIG:READsincalModelGlobalConfigSUPER_ADMIN, MODELLER
SINCAL_GLOBAL_CONFIG:UPDATEsincalModelConfigUploadUrl, updateSincalModelConfigFilePathSUPER_ADMIN, MODELLER
STUDIES:CREATEaddStudiesSUPER_ADMIN, DEVELOPER
STUDIES:DELETEdeleteStudiesSUPER_ADMIN, DEVELOPER
STUDIES:READstudiesById, studies, pagedStudies, resultsById, stylesByIdSUPER_ADMIN, DEVELOPER

EWB Permissions Mappings

To allow the use of EAS generated tokens with the EWB SDK, the following EAS permissions are mapped to the three roles defined by the EWB.

EAS PermissionEWB RoleEWB access providedProvided by default "External Role"
EWB:READread:ewbAccess to connect to the network service with a gRPC NetworkConsumerClient. Also to all EWB HTTP REST endpoints (excluding /ewb/api/graphql/customers).SUPER_ADMIN, MAP_VIEWER
EWB:UPDATEwrite:ewbAccess to connect to the network service with a gRPC UpdateNetworkStateClient.SUPER_ADMIN, EWB_UPDATER
EWB_CUSTOMER:READread:customerAccess to connect to the customer service with a gRPC CustomerConsumerClient. Also to the customer GraphQL endpoint /ewb/api/graphql/customers.SUPER_ADMIN, EWB_CUSTOMER_VIEWER
EWB_DIAGRAM:READread:diagramAccess to connect to the diagram service with a gRPC DiagramConsumerClientSUPER_ADMIN, EWB_DIAGRAM_VIEWER

The EWB Roles will be included in a generated token's "roles" claim when the External Roles being assigned to the new token inherit their matching EAS permission.

note

This permission check only happens at token creation time and cannot be updated or revoked after the token is created.