In this release
The main focus of this release is a full update of the ProptechOS authorization model with improved configuration and added roles to enable user self-management. Users with admin roles will be able to create and modify policies, and also to grant and revoke resource access and role policies to other users.
New functionality
1. Resource Permission Policy
ResourcePermissionPolicy (RPP) – represents resource access policy in ProptechOS platform. RPP is a set of rules that controls read and modify access to the twins. RPP itself consists of different properties that are responsible for different access levels. ResourcePermissionPolicy model:
- propertyOwner – what PropertyOwner this RPP belongs to;
- includesAll – flag that is responsible for providing READ access to all twins in PropertyOwner dataset;
- excludesAll – list of twins types where each separate type will exclude all twins of this type from READ access (allowed values: Collection, RealEstate, RealEstateComponent, BuildingComponent, Asset, Device, Sensor, Actuator);
- included – is responsible for providing READ access to specified twins. It is represented by a key/value map where:
- key – type of the twin (allowed values: Collection, RealEstate, RealEstateComponent, BuildingComponent, Asset, Device, Sensor, Actuator),
- value – list of specified twin ids and ‘propagatable’ flag;
- excluded – is responsible for avoiding READ access to specified twins. It is represented by a key/value map where:
- key – type of the twin (allowed values: Collection, RealEstate, RealEstateComponent, BuildingComponent, Asset, Device, Sensor, Actuator),
- value – list of specified twin ids;
- allowWriteTwinClasses – list of twins types where each separate type will provide WRITE permission to all twins of this type that are allowed by READ related access policies like: includesAll, included (allowed values: Collection, RealEstate, RealEstateComponent, BuildingComponent, Asset, Device, Sensor, Actuator). Also this rule will allow user to create new twins of specified types and subtypes;
- filters – additional tool that will help to filter out included sensors and actuators by QuantityKind and PlacementContext;
- capabilities – special tool to control specific actions in ProptechOS:
- DeviceGateway – will allow user to access device security key;
- Actuation – will allow user to perform actuation over included set of actuators;
- Streaming – will allow streaming recipient receive online telemetry from included set of sensors;
Usage Details
- Access result is calculated according to the following schema:
- INCLUDED (‘icludesAll’ OR ‘included’) AND NOT EXCLUDED (‘excludesAll’ OR ‘excluded’);
- Propagatable Access (‘propagatable’ flag) – each twin has its own hierarchy that is taken into account during access evaluation. Hierarchy is fetched according to the following approaches with From-Bottom-To-Top rule:
- Sensor/Actuator – hasSuperDevice -> Device – isMountedInBuildingComponent -> BuildingComponent – isPartOfBuilding -> Building – isPartOfRealEstate -> RealEstate;
- Asset – locatedIn -> BuildingComponent – isPartOfBuilding -> Building – isPartOfRealEstate -> RealEstate;
- Collection;
So according to the hierarchy schema top twins may work with either propagated access (like ‘open umbrella’) or not propagated access (like ‘closed umbrella’). What does it mean in practice:
- Example 1 demonstrates included single RealEstate with propagatable access, that will allow user to have READ access to the full orphan tree (all buildings, rooms, assets, devices, sensors and actuators):
- Example 2 demonstrates included single RealEstate with non-propagatable access, that will allow users to have READ access only to this specific RealEstate:
If users should have READ access to some orphan twins, those twins should be additionally specified in the ‘included’ section:
- Admin users may specify only orphan twin types ids as included in RPP (e.x. only Room id without specified it’s RealEstate id), in this case the full twin hierarchy will be populated as included twins in the RPP according to the From-Bottom-To-Top rule with propagatable false.
- Propagatable flag is ignored for the following types: Collection, Asset, Sensor, Actuator as these twin types don’t have orphan twins according to hierarchy schema.
Full RPP Example:
Resource Permission Policy Management
ResourcePermissionPolicy management is now allowed for users with the PropertyOwnerAdmin role. RPP management includes full control over the policies that belong to the Property Owner. RPP management is represented by new endpoints:
- GET /json/rpp
- GET /json/rpp/{id}
- POST /json/rpp
- PUT /json/rpp
- DELETE /json/rpp/{id}
2. Role
Role – represents an entity that is responsible for security management access. Each role provides a different level of security management access. Currently ProptechOS includes 3 different role types:
- Property Owner Admin – has full control over ProptechOS resource and security management in scope of single Property Owner. PropertyOwnerAdmin is limited to the single instance;
- Organization Admin – has full control over Organization security twin and has limited control over specified security and resource twins (e.x Application). OrganizationAdmin is limited to the single instance per each organization;
- User – default role that does not have dedicated representation on the API
Role management
In this release PropertyOwnerAdmin will be able to list all roles that belong to the PropertyOwner. And full control over the roles will be available for PropertyOwnerAdmin in future releases. Role management is represented by new endpoints:
- GET /json/role
- GET /json/role/{id}
- POST /json/role
- PUT /json/role
- DELETE /json/role/{id}
3. Twins Multiple Restore
In the scope of this release a new feature to restore multiple twins of the same type was introduced. This feature is only available for agents with batch operations allowed.
The list of endpoints:
- PUT /json/realestates/restore
- PUT /json/realestatecomponents/restore
- PUT /json/buildingcomponents/restore
- PUT /json/rooms/restore
- PUT /json/storeys/restore
- PUT /json/assets/restore
- PUT /json/devices/restore
- PUT /json/sensors/restore
- PUT /json/actuators/restore
- PUT /json/aliasnamespaces/restore
- PUT /json/collections/restore
- PUT /json/apartments/restore
- PUT /json/tenantunits/restore
- PUT /json/regions/restore
- PUT /json/spacecollections/restore
- PUT /json/systems/restore
- PUT /json/addresses/restore
Every endpoint has a list of twin ids as the input parameter, the same list is returned in response in case if all twins are successfully restored. Number of twins that can be restored in one request is limited to 1000. The same set of endpoints is implemented for JSON-LD as well.
For example:
Request:
- PUT /json/rooms/restore
Response:
4. Address Twin Belongs to Property Owner
An Address twin belongs to Property Owner, which is represented as “propertyOwner” in the object. Here is an example of Address JSON.
5. GraphQL API (Preview)
GraphQL is a query language for APIs and a runtime for fulfilling API queries. GraphQL provides a complete and understandable description of the data in your graph, gives clients the power to ask for exactly what they need and nothing more, makes it easier to evolve APIs over time, and enables powerful developer tools. For more information please visit GraphQL Page.
Since this release of ProptechOS you can fetch data via GraphQL API. GraphQL API is available in our Preview API via the new endpoint:
- POST /preview/graphql
GraphQL API Try Out
To try out the new GraphQL API graphiql page can be used. This test page is available via <BASE_PROPTECHOS_URL>/preview/graphiql . In order to start, the Authorization header with Bearer token in JSON format should be provided in “Header” section (Bearer token can be copied from the Swagger page). Authorization header example:
Examples of some possible requests to start:
- Get paged Devices
2. Get paged Devices with specified page and page size:
3. Get Device by id
Breaking changes
None
Fixes and minor updates (internal links are added only for reference)
- PLAT-3692 – User with PO Admin role cannot Create/Update/Delete roles available in thier PO;
- PLAT-3693 – Twin restore endpoint randomly fails with 404;
- OSUI-1524 – Cannot add rooms to TenantUnit after it was archived and restored;
- PLAT-3703 – 500 when user tries authenticate in wrong API;
- PLAT-3717 – Redirect URIs for Applications are not saved in app’s json;
- PLAT-3722 – Cannot modify/clear “included” field of RPP;
- PLAT-3725 – Cannot create Device when RPP has “allowWriteTwinClasses” set only to [“Device”];
