Identities on EnOS¶
Enterprise tenant managers can manage user account lifecycles, authenticate users, and control access to resources in EnOS. When there are multiple users in an organization, granting users the principle of least privilege can reduce enterprise information security risks.
EnOS implements multi-tenant and multi-organization solutions in Application Portal. Multiple tenants can be created in EnOS, each tenant corresponds to an enterprise, and there can be multiple organizations under the tenant, and each organization corresponds to an OU (Organization Unit). Data belonging to different organizations is securely segregated and only users registered in that organization with required permissions have access.
Identity Types on EnOS¶
All identities are created under organizations. EnOS offers the following types of identities:
User accounts are usually created for EnOS Application Portal users by enterprise tenant managers.
Service accounts (a.k.a. application tokens) are assigned to applications for accessing EnOS service APIs.
Device identities are assigned to all devices (including edge devices) that connect to EnOS.
Authentication on EnOS¶
EnOS provides different authentication methods for different account types.
User accounts are authenticated through valid credentials (username and password) for EnOS Application Portal.
Strong passwords with the required complexity is enforced by the security policy managed by the OU administrators.
Multi-factor authentication is available as a configurable security option.
Service accounts are composed of an Access Key and a Secret Key. Service accounts are obtained by registering or acquiring an application, and will serve as the identity credentials for accessing EnOS APIs.
Devices and edges use X.509 certifications to establish the secure data communication tunnels with EnOS. For more information, see Best Practice for Securing Communications between Edge Gateways and EnOS with X.509 Certificates.