Skip to content

DeviceBoard – Client Admin User Guide for Managing Client Users

DeviceBoard – Client Admin User Guide for Managing Client Users

DeviceBoard – DeviceBoard – Client Admin User Guide for Managing Client Users

This guide is designed for Client Admin Users inside DeviceBoard.

A Client Admin is a delegated administrator who operates within boundaries defined by the Hub Admin.

Using this guide, a Client Admin will learn how to:

  • Understand the scope of Client-level access
  • Organize devices and assets using Sub Device Groups and Sub Asset Groups
  • Create and manage Client Users
  • Control visibility of devices/assets for each Client User
  • Ensure consistency of permissions using Hub-provided RBAC + ABAC
  • Maintain a secure and isolated Client workspace

1. Understanding Client-Level Structure in DeviceBoard

✔ Hub Admin Controls:

  • Which Device Groups the Client can access
  • Which Asset Groups the Client can access
  • Which RBAC modules Client Admin can use
  • Which ABAC operational permissions are allowed
  • Whether sub-group creation is allowed
  • Whether client-level dashboards can be edited

✔ Client Admin Controls:

  • Creating Sub Device Groups
  • Creating Sub Asset Groups
  • Creating and managing Client Users
  • Assigning device subsets to individual Client Users
  • Assigning asset subsets to individual Client Users
  • Managing Client-level dashboards (if permitted)
  • Monitoring alarms and notifications for their assigned devices/assets

✔ Client Users inherit the same RBAC + ABAC permissions as the Client Admin.

This ensures that Client Users:

  • Can only access features allowed by Hub Admin
  • Cannot exceed the operational rights available to the Client Admin
  • Operate within isolated device/asset boundaries

2. Key Concepts for Client Admins

2.1 Client User

A user created by the Client Admin who can:

  • View devices/assets assigned to them
  • Use application modules according to RBAC
  • Perform allowed operations based on ABAC

They cannot:

  • Modify roles
  • Modify client boundaries
  • Edit Hub-wide settings

2.2 Sub Device Group

A logical grouping of devices created by the Client Admin.

  • Based only on devices assigned to the client by Hub Admin
  • Used to restrict visibility for individual Client Users

Example:

  • Hub Admin assigns: 200 devices
  • Client Admin creates:
    • Sub group “Plant 1 Machines” → 62 devices
    • Sub group “Plant 2 Machines” → 48 devices
    • Sub group “Critical Pumps” → 10 devices

Client Users can be assigned one or more sub device groups.

2.3 Sub Asset Group

Same concept as Sub Device Groups but applies to assets:

  • Buildings
  • Rooms
  • Locations
  • Tanks
  • Towers
  • Machines

2.4 Inherited RBAC + ABAC

All Client Users inherit:

  • The same RBAC module permissions as the Client Admin
  • The same ABAC operational permissions

These cannot be changed by the Client Admin.

3. Getting Started as a Client Admin

Allowed Modules (based on RBAC assigned by Hub Admin):

  • Dashboard
  • Devices
  • Assets
  • Alarms & Notifications
  • Reports
  • User Management (Client-level only)
  • Device Groups (Client-level only)
  • Asset Groups (Client-level only)

Restricted Modules (usually not allowed):

  • RulesFlow
  • AI Models
  • Hub Settings
  • Global User Management
  • Device Models / Asset Models

4. How Client Admin Manages Sub Device Groups

4.1 Creating a Sub Device Group

Step 1: Navigate to Sub Device Groups

Menu → Devices → Sub Device Groups

Step 2: Click “Create Sub Device Group”

Step 3: Configure Group

  • Name (e.g., “Plant A Pumps”, “North Wing Equipment”)
  • Description (optional)

Step 4: Add Devices

Client Admin can only select devices that:

  • Belong to the Device Groups assigned by the Hub Admin

Filtering options:

  • Device Model
  • Label search
  • Attribute search
  • Status (active/inactive)

Step 5: Save

The group becomes available for Client User assignment.

4.2 Editing a Sub Device Group

Client Admin can:

  • Add/remove devices
  • Rename group
  • Change metadata

Cannot:

  • Add devices outside their allowed Device Groups

5. Sub Asset Groups (For Assets)

Exactly the same workflow:

Menu → Assets → Sub Asset Groups

Client Admin can organize assets according to their operational structure.

Examples:

  • “Campus A → Floor 1”
  • “Cooling Towers Zone”
  • “Storage Areas Group”

6. Creating and Managing Client Users

A Client Admin can create unlimited Client Users (if allowed by Hub Admin).

6.1 Creating a New Client User

Step 1: Go to Client User Management

Menu → Users → Client Users → Create User

Step 2: Enter User Information

  • Username
  • Email
  • Temporary password / Reset link

Step 3: Assign Sub Device Groups

Select any of the groups the Client Admin created.

A user may have access to:

  • One group
  • Multiple groups
  • All groups

Step 4: Assign Sub Asset Groups

Same process.

Step 5: RBAC + ABAC Assignment

Automatically inherited from Client Admin.

Client Admin cannot:

  • Add new RBAC roles
  • Modify ABAC rules
  • Restrict or widen permissions beyond allowed boundaries

Step 6: Save User

The user can now log in with restricted visibility.

6.2 Editing an Existing Client User

Client Admin can:

  • Change assigned sub device groups
  • Change assigned sub asset groups
  • Reset password
  • Temporarily disable the user
  • Update profile info

Client Admin cannot:

  • Change the user’s RBAC
  • Change ABAC permissions

These remain inherited.

6.3 Disabling or Removing Client Users

Options:

  • Suspend User → temporarily blocks login
  • Delete User → removes the user permanently

A deleted user’s historic actions remain in audit logs.

7. How Access Restrictions Work for Client Users

7.1 Devices
Only devices inside assigned Sub Device Groups.
7.2 Assets
Only assets inside assigned Sub Asset Groups.
7.3 Telemetry
Only from allowed devices.
7.4 Dashboards
If dashboards contain widgets referencing:
  • Devices not assigned → widgets show blank/no data
  • Assets not assigned → assets hidden automatically
7.5 Alarms
Only alarms generated from:
  • Assigned devices
  • Assigned assets
7.6 Reports
Only for their scoped devices/assets.
7.7 Notifications
Restricted to alarms/events within their allowed scope.

8. Best Practices for Client Admins

8.1 Organize Sub Device Groups Based on Real-World Logic

Examples:

  • “Workshop A Sensors”
  • “Critical Pumps”
  • “Production Line 3 Equipment”

8.2 Minimize Overlapping Groups

Avoid giving multiple groups containing the same device to reduce confusion.

8.3 Use Clear Naming Conventions

For example:

  • Area1_Sensors
  • Area2_Cooling_Pumps
  • Zone_B_Machines

8.4 Review User Assignments Regularly

Deactivate unused Client Users.

8.5 Never Share Credentials

Every user must have their own login.

9. Permissions Window: What Client Admin Can and Cannot Do

9.1 Client Admin Can:

  • ✓ Create Sub Device Groups
  • ✓ Create Sub Asset Groups
  • ✓ Create unlimited Client Users
  • ✓ Assign device/asset visibility
  • ✓ Reset Client User passwords
  • ✓ Disable/delete Client Users
  • ✓ Monitor alarms within scope
  • ✓ Access dashboards (view/edit if permitted)
  • ✓ Access reports

9.2 Client Admin Cannot:

  • ✗ Modify RBAC settings
  • ✗ Modify ABAC rights
  • ✗ Create or edit Hub-wide device groups
  • ✗ Access devices outside assignment
  • ✗ Access assets outside assignment
  • ✗ Modify device models or asset models
  • ✗ Modify other Clients’ data

10. Example Scenario

Hub Admin Assumes

  • Client Admin receives 200 devices across 3 device groups
  • RBAC allows Dashboard + Devices + Alarms
  • ABAC allows View Telemetry + Acknowledge Alarms

Client Admin Creates

  • Sub Device Groups
  • “Plant 1 Machines” → 80 devices
  • “Plant 2 Machines” → 60 devices
  • “Critical Alerts Monitoring” → 15 devices

Client Admin Creates Users

User 1: Plant Operator

Assigned:

  • “Plant 1 Machines”

Can:

  • View telemetry
  • Acknowledge alarms

Cannot:

  • See Plant 2 devices
  • Edit dashboards

User 2: Safety Monitoring Team

Assigned:

  • “Critical Alerts Monitoring”

User sees:

  • Only 15 devices
  • Only relevant alarms

User 3: Supervisor

Assigned:

  • All Sub Device Groups

Supervisor sees:

  • All 200 devices
  • But only modules allowed by RBAC

11. Troubleshooting Guide

  • ✔ Check assigned Sub Device Groups
  • ✔ Ensure device belongs to Hub Admin’s assigned group
  • ✔ Operation may not be permitted by ABAC assigned by Hub Admin
  • ✔ Widgets may reference devices outside user’s visibility
  • ✔ RBAC restriction applied by Hub Admin

12. Summary

This document enables Client Admins to:

  • ✔ Manage Client-level device visibility
  • ✔ Organize structure using Sub Device/Asset Groups
  • ✔ Create and manage Client Users efficiently
  • ✔ Maintain strict boundaries using inherited RBAC + ABAC
  • ✔ Operate securely within the Hub Admin’s permissions

DeviceBoard empowers Client Admins to operate independently without compromising system-wide security or integrity.