Overview of device groups¶
Device groups let you organize and manage access to your devices. A device group has a user-defined name (no white space characters). It must be unique among device groups within a team.
A team owner or admin can assign groups to editors and viewers. You can add group permissions when you send a new user invite, or from the Team page in the portal at any other time. Users can see devices that are assigned to any groups they have access to.
The Firmware Update (FOTA) service requires you to group the devices included in an update by assigning them to a device group.
Device access restriction¶
If no device groups are assigned to any devices or users, all users in the team can access all devices.
You can use device groups alongside roles to define which users can access which devices. Roles are a general restriction while device groups are a more specific restriction.
Only admins and the team owner can assign groups to devices and users. Editor and viewer access to devices is restricted according to role. Admins and owners are never restricted.
Devices and users can have any number of groups assigned to them.
The rules of access to a device for a non-admin depend on the groups assigned to the device and user, as shown in the following table.
|User's groups||Device's groups||Device visible to user?|
||no 2, except for4|
||no3, except for4|
(1) Any user can access a device that has no groups assigned.
(2) If a user has no device groups assigned, they cannot access any devices that have any device groups assigned. They can only access devices with no groups assigned.
(3) If a user has any device groups assigned, they can access a device that has any of the same device groups assigned. They cannot access devices outside of those groups. They can still access devices with no groups assigned.
(4) The exception is for Bluetooth® Low Energy (LE) devices: Since they are attached to a gateway that can handle any number of Bluetooth LE devices, it is important for all users to see all devices attached to a gateway. If a user can see the gateway (using the rules above), they can always see all devices attached to it, regardless of the device groups assigned to them. Access to those gateways and Bluetooth LE devices are limited by roles and device groups.
The REST API endpoints
FetchDevice do not show any of the device's groups that the requesting user is not assigned to. However, the
ListMessages endpoint, when no filtering parameters are included, returns messages for all devices associated with an account. This includes devices the user does not have explicit permission to access through device groups.
An editor is allowed to delete devices. The exception is when the device is a member of a group that the editor is not a member of, and that group has any users assigned to it. In that case, deletion is not allowed.
You can organize devices into groups without restricting user access by giving all users the admin role, or by adding all device groups to all editors and viewers.
An admin can restrict a device to admin-only access by re-assigning it to a device group that is accessible only to admins and owners.
Device message restriction¶
Device messages and alerts are not filtered according to device group. A user on a team can view messages and alerts associated with devices they do not otherwise have access to.
If you want to keep messages hidden for a group of devices, create a separate team for these devices and invite only those users you want to have access.