User Management & RBAC
The MDM platform implements role-based access control (RBAC) to manage what each user can see and do.
Role Hierarchy
Section titled “Role Hierarchy”Roles form a hierarchy where higher roles inherit all permissions of lower roles:
Super Admin (Platform Operator) └── Owner (Organization Owner) └── Admin (Organization Admin) └── User (Standard User) └── Viewer (Read-Only)Role Permissions
Section titled “Role Permissions”Viewer
Section titled “Viewer”- View device list and status
- View telemetry and GPS data
- View fleet map
- View alert history
- View configuration (read-only)
Everything Viewer can do, plus:
- Acknowledge alerts
- Resolve alerts
- Trigger device commands (reboot, sync)
- View configuration profiles
Everything User can do, plus:
- Create, edit, delete devices
- Create and deploy configuration profiles
- Deploy firmware updates
- Manage alert rules
- Create and manage geofences
- Invite users (up to their own role level)
Everything Admin can do, plus:
- Manage all users in the organization
- Delete users
- Change user roles
- Modify organization settings
- View billing and usage
Super Admin
Section titled “Super Admin”Everything Owner can do, plus:
- Access all organizations
- Create/delete organizations
- Assign devices across tenants
- Access operations console
- View platform-wide metrics
- Manage firmware uploads
User Management
Section titled “User Management”Inviting Users
Section titled “Inviting Users”Admins and Owners can invite new users:
- Navigate to Users → Invite
- Enter the user’s email address
- Select a role (cannot exceed your own role)
- Click Send Invitation
- User receives an email with a signup link
- After signup, they’re added to your organization with the assigned role
Editing Users
Section titled “Editing Users”- Navigate to Users
- Click on a user
- Modify:
- Display name
- Role (Owners can change roles)
- Active/inactive status
- Click Save
Removing Users
Section titled “Removing Users”- Navigate to Users
- Click the user to remove
- Click Remove User (requires Owner role)
- Confirm removal
Authentication
Section titled “Authentication”Login Methods
Section titled “Login Methods”| Method | Description |
|---|---|
| Email + Password | Standard login with bcrypt-hashed passwords |
| API Token | For programmatic access (no browser required) |
Password Requirements
Section titled “Password Requirements”- Minimum 8 characters
- Must include uppercase, lowercase, and a number
- Passwords are hashed with bcrypt (10+ rounds)
Session Management
Section titled “Session Management”- Sessions use HttpOnly JWT cookies
- Token expiry: 24 hours (configurable)
- Refresh tokens extend sessions without re-login
- Single active session per user (new login invalidates old)
API Tokens
Section titled “API Tokens”For programmatic access (scripts, integrations):
- Navigate to Settings → API Tokens
- Click Generate Token
- Name the token and select scopes:
devices:read— Read device datadevices:write— Create/modify devicestelemetry:read— Query telemetryconfig:write— Push configurationfirmware:deploy— Deploy updates
- Set expiration (optional)
- Copy the token (shown only once)
Token Usage
Section titled “Token Usage”curl -H "Authorization: Bearer YOUR_TOKEN" \ https://mdm-api.telisky.com/api/devicesAudit Trail
Section titled “Audit Trail”All user actions are logged:
| Event | Logged Data |
|---|---|
| Login | User, IP, timestamp, success/failure |
| Device action | User, device, action, result |
| Config change | User, profile, devices affected |
| User management | Who changed what for whom |
| Firmware deploy | User, version, target devices |
Access the audit log at Settings → Audit Log (Owner/Admin).