Our fictitious company called Smart Widgets 'R Us sells networked thermometers.
We decided not to provide an infrastructure for data visualization and analysis. So - at least for the initial stage of our business - we set up our devices to publish data on ThingSpeak, a popular free IoT data platform running in the cloud. This platform provides a simple HTTP-based API that devices use to push data to so called channels. Data in channels can be then easily visualized (and analyzed) via ThingSpeak GUI.
Access to ThingSpeak channels is managed via read and write keys. Devices use write keys to push the data, while users use read keys to see the channel content.
So, the keys have to be somehow managed: write keys have to be distributed to devices, and read keys to users. And what is even more complicated, for security reasons these keys should be changed on regular basis.
In this story, we will show how midPoint can be used to manage the keys.
Computing Components Involved
- Devices measure temperature and send the data to the cloud. They are sold by our company and configured by the customer.
- ThingSpeak is the cloud application that collects the data and presents them in a visual way to users. It is operated by an independent company. (MathWorks: real, not a fictitious one!)
- midPoint is operated by our company (Smart Widgets 'R Us). It manages customers' users and devices. It distributes channel write keys to devices and channel read keys to users.
For detailed description of key distribution please see this page.
MidPoint Object Structure
After describing the overall scenario, let us have a look at how it is implemented in midPoint. There are the following object types:
There is one midPoint organization per customer. It contains all objects for the customer.
A customer can create child organizations as well.
Customer-level: firstname.lastname@example.org (Jack's World), email@example.com (Davy Jones)
Note that the names of child organizations consists of customer's name and a random number to avoid naming conflicts.
|Resource||Channels for customer's ThingSpeak account.||TODO|
|Service||Each of self-registered thermometer devices. It has an "account" on the resource above, corresponding to ThingSpeak channel created for this device. There is no resource for the device itself (see below). Customer can place devices into child organizations, to organize them as well as to control access to them for individual users.||TODO|
There is at least one "administrator" user per customer. It is the one that was created during self-registration. He can create as many users as he wants; make them administrators or "regular users". He can place them into child organizations he has created, allowing them to limit devices they see to devices in these organizations.
|firstname.lastname@example.org (Jack Sparrow), email@example.com (Elisabeth Turner), firstname.lastname@example.org (Bill Turner), email@example.com (Davy Jones)|
|Role||There are two roles used to manage authorizations: Customer admin role and Customer user role. They are assigned automatically by setting employeeType for individual users.|
Their attributes are described on a separate page.
We'd like to thank Saneef Ansari for the symbol of thermometer and Guilhem for the various symbols of keys. All from the Noun Project.