Dynamic Roles are built into Launchpad for the purpose of controlling permissions for various modules and features on KODE OS. Launchpad has a default set of Roles and Permissions. An Administrator can grant permissions to a role, revoke permissions from a role, or create a new role and assign permissions from scratch. 

Why user roles matter

Effective user roles and permissions are fundamental to maintaining security, ensuring data integrity, and optimizing operational efficiency within any software platform. In KODE OS, user roles define precisely what each user can access and manage, safeguarding sensitive data and streamlining workflows. This role-based approach ensures that individuals have the necessary access to perform their responsibilities without unnecessary exposure to other functionalities.

The concept of Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC) is a method of restricting system access to authorized users. Instead of assigning permissions individually to each user, RBAC assigns permissions to specific roles. Users then inherit these permissions based on the roles assigned to them. Think of it like a set of keys: instead of giving a unique set of keys to every person, you create different keyrings for different roles (Building Manager Keys, Security Team Keys). Anyone assigned the Building Manager role automatically receives the corresponding keys to access specific areas, simplifying access management and enhancing security.

Launchpad roles explained

Launchpad defines several core roles, each with distinct levels of access and control over the platform's features. These roles dictate what a user can view, edit, or configure within Launchpad itself.

KODE OS application-specific roles

Beyond the foundational Launchpad roles, KODE OS implements granular, application-specific roles that govern access within individual product modules. These roles ensure that sensitive building and operational data is accessible only to authorized personnel.

For example, KODE OS includes modules such as:

• Cloud BMS: Centralized remote monitoring and control of every building system.

• FTT: Automated digital commissioning and system testing.

• FDD: Alarms, faults, and root cause analysis in real-time.

• BBI: In-house business intelligence and analytics for your portfolio.

• Maintenance: Automated scheduling and tracking of maintenance tasks.

• Building Data Hub: Centralized hub where you can build data pipelines, create custom metrics, and generate actionable insights.

• OSS: Optimized Start/Stop powered with ML.

Each of these applications can have its own set of roles (SuperAdmin, Engineering Manager, Property Manager within KODE OS itself) that determine the specific functions a user can perform within that particular application. This layered approach to roles enhances data protection by precisely limiting access to necessary information.

How permissions are structured

Permissions in KODE OS are structured into distinct types and organized hierarchically to provide fine-grained control.

• Read Permissions: Enables users to view information or access specific features within a module or submodule.

• Write Permissions: Grants users the ability to modify, create, or delete data and configurations within a module or submodule.

These permissions are organized into various modules (Building BI, Dashboards, Users, etc.) and further broken down into submodules (for example, Users > General). This granular structure allows administrators to tailor access levels precisely, ensuring that users can only perform actions relevant to their responsibilities.

Understanding role mapping (for SSO Integration)

When Single Sign-On (SSO) is enabled for your KODE OS workspace, external Identity Provider (IdP) roles can be mapped directly to KODE OS roles. This process centralizes user role management within your organization's IdP, simplifying administration.

This means that while user authentication occurs in the IdP, their permissions within KODE OS are automatically passed through based on their IdP roles. This capability reinforces the concept that role assignments and modifications are managed in a single, authoritative source. 

Secure and tailored access

The comprehensive role and permission system in Launchpad and KODE OS ensures that users receive exactly the access they need—no more, no less. This granular control contributes significantly to overall security by minimizing unauthorized access to sensitive data and functionalities. Furthermore, it enhances operational efficiency by providing a clear framework for user responsibilities, leading to a more streamlined and secure user experience across all KODE OS applications.

View KODE OS roles  

To view a list of KODE OS roles,

1. In Launchpad, click Apps. The Apps List page appears.

2. Click KODE OS. The KODE OS Details page appears.

3. Select Roles. The Roles List appears, displaying the names, description, and number of permissions for each role.

From this page you can do the following.

• Click the + Add Role button to add a role. 

• Use the Search field to search for a role.

• Click a role to view the details for that role. From there you can edit or delete the role. 

Add a role  

To add a role,

1. In the Roles List, click +Add Role. The Add Role page appears.

2. Type a Name for the role and Description.

3. Select the Permissions for the role. The Permissions section is divided into six main modules with various submodules, outlined below.

• Building BI

• Dashboards

• Datasources

• Sharings

• Templates

• Building Data Hub

• Pipelines

• Schedule

• Buildings

• General

• Areas

• Dashboards

• Datasources

• Devices

• Miscellaneous

• Points

• Systems

• Tags

• Maintenance

• General

• Assets

• Dashboard

• Data Sources

• Discovery Logs

• Notification Policies

• Schedule Logs

• Schedules

• Task Templates

• Tasks

• Modules

• Admin

• Audit

• Connectivity

• Dashboards

• Deployment Audit

• Energy Dashboard

• FDDV2

• FTT

• GraphicsV1

• GraphicsV2

• Marker Icons

• Mass Write

• MultiTrend

• OSS

• ScheduleV2

• Users

• General

There are two kinds of permission for each module and submodule.

• Read: View the respective module or feature.

• Write: Modify the respective module or feature.

4. Click Save. The role is saved. The Role Details page appears. From this page you can edit the role or delete the role. 

For detailed information on module permissions, refer to Permissions.

Edit a role  

To edit a role,

1. In the Roles List, select the role you want to edit. The Role Details page appears.

2. Click the Edit button. The Edit Role page appears. Modify the permissions for each role.

Several modules have a Warning symbol next to their name. Hover over the Warning to open an information/attention box which states which roles are connected with each other, and must be selected in order to continue.

          3. Click Save. The changes to the role are saved. (Click Cancel to cancel any changes.)

Delete a role  

To delete a role,

1. In the Roles List, select the Role you want to delete. The Role Details page appears.

2. Click the Delete button. A confirmation pop-up window appears.

3. Click Yes, Delete. The role is deleted.

You can not delete a role if there are still users assigned to that role.

Copy from another role  

Map user roles

KODE Labs allows client user permissions to automatically be passed through from identity provider platforms as part of the integration. This means that you have the ability to add a role (IdP role), and then to specify a role for apps (Launchpad, KODE OS, myMSI); map the IdP role to the app permissions.

Before you add new role mappings, you must have already added the roles attributes in the Attribute Mappings section in your IdP, and then entered that information in KODE Labs. Refer to Enable Single Sign-On (SSO) for more information. 

To manage your role mappings,

1. In Launchpad, click Sign in Methods. The Sign In Methods page appears, displaying all the IAM methods set up for your organization.

2. Select the Sign in Method whose roles you want to map. 

3. Select the Role Mapping tab.

4. Click the + Assign Role(s) button.

5. In the Assign Role(s) window enter the following details.

• Role Name/IdP Role Identifier: Name or UID (by which it is uniquely identified in IdP) of the IdP group that you want to map.

• KODE Labs organization Role:

• Launchpad Role (required)

• Choose myMSI and KODE OS roles (optional)

7. Click the Assign Role(s) button. The roles are mapped.

The role management (in KODE Labs) for the users in your IdP is controlled through your IdP, instead of from KODE Labs. Users can sign in to KODE Labs via SSO with the corresponding roles and permissions. All you have to do is add the users to any of your IdP groups or roles (in your IdP settings) that are mapped with KODE Labs roles.

If a user is assigned to more than two roles in your IdP, in KODE Labs the user is assigned the role that is at the top of the list of roles in the Role Mappings page. By default, the order goes from first created to most recently created. The order is customizable. 

Configure Permissions for Users in KODE OS

KODE OS handles user management based on the conditions we set for each role in Launchpad.

To configure who can add users to KODE OS.

1. In Launchpad, click Apps.

2. Click KODE OS.

3. Select the Roles panel.

4. Select the Role whose permissions for user management you want to modify.

5. Click the Edit button.

6. In the Permissions section, scroll down to Users > General.

7. In the Users section check the checkboxes based on what permission you want to enable to the selected user role.

8. Click the Constraints link next to the Get Users checkbox. The Get Users pop-up window appears.

9. Click the AssignedInSameBuilding checkbox and the user in the selected user role will be able to add people in KODE OS only to the buildings they are assigned to.

10. Click Confirm to confirm this choice. (Click Cancel to cancel the change.)

11. Clicking the checkboxes for Create users and Delete users enables the Manage Constraints link for each.

12. Click the Manage Constraints link next to Create users. A pop-up window appears.

13. Specify the type of users you want to allow the selected user role to add in KODE OS. (For example, if you are editing a User Admin role, in the Choose Roles dropdown select the type of users User Admin role can add in KODE OS.) 

14. Click Confirm to confirm the choice. (Click Cancel to cancel the change.)

15. Click the Manage Constraints link next to Delete users and follow the same steps (13 - 14) to specify the type of users you want to allow the selected user role to delete from KODE OS. 

16. Click Save. The changes to user management for the selected role are saved.