User Roles
AERL Cloud uses role-based access control to manage user permissions within organizations. Each role has specific capabilities designed for different responsibilities.
Understanding Roles
Role Hierarchy
Roles are hierarchical, with each level including all permissions of lower levels:
- Owner - Full control including billing
- Admin - Complete operational control
- Technician - Field operations access
- Viewer - Read-only monitoring
- Restricted Viewer - Single location access
Role Assignment
- Roles are assigned when users are invited
- Only Owners and Admins can manage user roles
- Users can have different roles in different organizations
- Role changes take effect immediately
Role Descriptions
Owner
The highest level of access, typically reserved for business owners or executives.
Key Responsibilities:
- Organization management
- Billing and subscription control
- User administration
- Full system access
Unique Permissions:
- Delete organization
- Manage billing
- Transfer ownership
- Access all features
Best For:
- Business owners
- C-level executives
- Primary account holders
Admin
Full operational control without billing access.
Key Responsibilities:
- Manage all locations and equipment
- Configure system settings
- Administer users and permissions
- Create and modify alert rules
Unique Permissions:
- Add/remove users
- Create user groups
- Modify all settings
- Delete locations and devices
Best For:
- Operations managers
- System administrators
- Technical leads
Technician
Field operations role with ability to manage equipment but not users.
Key Responsibilities:
- Monitor equipment status
- Acknowledge alerts
- Add and configure devices
- Perform maintenance tasks
Restrictions:
- Cannot manage users
- Cannot delete locations
- Limited to operational tasks
Best For:
- Field technicians
- Maintenance staff
- Installation teams
Viewer
Read-only access for monitoring without modification capabilities.
Key Responsibilities:
- Monitor system status
- View historical data
- Generate reports
- Track performance
Restrictions:
- Cannot modify any settings
- Cannot acknowledge alerts
- Cannot add equipment
- Read-only access
Best For:
- Clients/customers
- External stakeholders
- Reporting personnel
Restricted Viewer
Limited access to a single location only.
Key Responsibilities:
- Monitor assigned location
- View specific site data
- Track local performance
Special Characteristics:
- Assigned to one location during invite
- Cannot see other locations
- Cannot be added to user groups
- Extremely limited scope
Best For:
- Site-specific contractors
- Limited access clients
- Temporary personnel
Detailed Permission Matrix
| Permission | Owner | Admin | Technician | Viewer | Restricted Viewer |
|---|---|---|---|---|---|
| Organization Management | |||||
| View organization details | ✅ | ✅ | ✅ | ✅ | ✅ |
| Edit organization settings | ✅ | ✅ | ❌ | ❌ | ❌ |
| Delete organization | ✅ | ❌ | ❌ | ❌ | ❌ |
| Manage billing | ✅ | ❌ | ❌ | ❌ | ❌ |
| User Management | |||||
| View users | ✅ | ✅ | ✅ | ✅ | ❌ |
| Invite users | ✅ | ✅ | ❌ | ❌ | ❌ |
| Edit user roles | ✅ | ✅ | ❌ | ❌ | ❌ |
| Remove users | ✅ | ✅ | ❌ | ❌ | ❌ |
| Create user groups | ✅ | ✅ | ❌ | ❌ | ❌ |
| Location Management | |||||
| View all locations | ✅ | ✅ | ✅* | ✅* | ❌ |
| View assigned location | ✅ | ✅ | ✅ | ✅ | ✅ |
| Add locations | ✅ | ✅ | ❌ | ❌ | ❌ |
| Edit locations | ✅ | ✅ | ✅ | ❌ | ❌ |
| Delete locations | ✅ | ✅ | ❌ | ❌ | ❌ |
| Gateway Management | |||||
| View gateways | ✅ | ✅ | ✅ | ✅ | ✅ |
| Add gateways | ✅ | ✅ | ✅ | ❌ | ❌ |
| Edit gateways | ✅ | ✅ | ✅ | ❌ | ❌ |
| Delete gateways | ✅ | ✅ | ❌ | ❌ | ❌ |
| Device Management | |||||
| View devices | ✅ | ✅ | ✅ | ✅ | ✅ |
| Add devices | ✅ | ✅ | ✅ | ❌ | ❌ |
| Configure devices | ✅ | ✅ | ✅ | ❌ | ❌ |
| Delete devices | ✅ | ✅ | ❌ | ❌ | ❌ |
| Data Access | |||||
| View real-time data | ✅ | ✅ | ✅ | ✅ | ✅ |
| View historical data | ✅ | ✅ | ✅ | ✅ | ✅ |
| Export data | ✅ | ✅ | ✅ | ✅ | ❌ |
| Use metrics explorer | ✅ | ✅ | ✅ | ✅ | ❌ |
| Alert Management | |||||
| View alerts | ✅ | ✅ | ✅ | ✅ | ✅ |
| Acknowledge alerts | ✅ | ✅ | ✅ | ❌ | ❌ |
| Create alert rules | ✅ | ✅ | ❌ | ❌ | ❌ |
| Edit alert rules | ✅ | ✅ | ❌ | ❌ | ❌ |
| Delete alert rules | ✅ | ✅ | ❌ | ❌ | ❌ |
| Manage receivers | ✅ | ✅ | ❌ | ❌ | ❌ |
*Subject to user group restrictions if configured
Managing Roles
Inviting Users
- Navigate to Organization Settings
- Click Invite User
- Enter email address
- Select appropriate role
- For Restricted Viewer, select location
- Send invitation
Changing User Roles
- Go to Organization Settings
- Find user in member list
- Click role dropdown
- Select new role
- Confirm change
Role Change Considerations
- Downgrading roles removes permissions immediately
- Upgrading roles grants new permissions instantly
- Users are notified of role changes
- Audit log tracks all changes
Best Practices
Role Assignment Guidelines
- Principle of Least Privilege: Assign minimum necessary permissions
- Regular Reviews: Audit user roles quarterly
- Document Responsibilities: Clear job descriptions for each role
- Temporary Access: Use Restricted Viewer for short-term needs
Security Recommendations
- Limit number of Owners (ideally 2-3)
- Require MFA for Owners and Admins
- Review admin access regularly
- Remove inactive users promptly
Organizational Structure
- Small Teams: Owner + Technicians often sufficient
- Medium Organizations: Add Admins for delegation
- Large Enterprises: Full hierarchy with user groups
- Client Access: Viewers or Restricted Viewers only
Common Scenarios
Contractor Access
Scenario: External contractor needs equipment access Solution: Technician role with user group restrictions
Client Monitoring
Scenario: Customer wants to view their sites Solution: Viewer role, possibly with user groups
Temporary Audit
Scenario: Auditor needs limited access Solution: Restricted Viewer to specific location
New Employee Onboarding
Scenario: Training period before full access Solution: Start as Viewer, upgrade after training
Troubleshooting
User Can't Access Features
- Verify correct role assignment
- Check user group restrictions
- Confirm organization membership
- Review recent role changes
Permission Denied Errors
- Role may lack required permission
- Feature might require Admin/Owner
- Check if restricted by user groups
Role Change Not Working
- Ensure you have permission to change roles
- User may need to log out/in
- Check for browser cache issues
Integration with User Groups
How Roles and Groups Interact
- Roles define what users can do
- Groups define what users can see
- Groups only affect Technicians and Viewers
- Admins and Owners bypass group restrictions
Examples
- Technician in "Region A" group: Can manage equipment in Region A only
- Viewer in "Client Sites" group: Can view data from client locations only
- Admin with no group: Can access everything regardless
Next Steps
- Create user groups for location-based access
- Enable MFA for enhanced security
- Set up alerts with appropriate receivers
- Review permissions in audit logs