Fine granular access rights possible?

Anonymous
2022-08-15T14:44:44.997+00:00

Hi everyone :)

we would like to use Azure Digital Twins for personalized data (See European Unions General Data Protection Regulation Law (short: GDPR))

As far as my Interpretation of https://learn.microsoft.com/en-us/azure/digital-twins/concepts-security#permission-scopes goes, it is only possible to allow a user to show all twins or no twins at all. It is not possible to allow a user to see (and query) only a subset of twins. Is this Understanding correct?

Is there a way to manage access regulation on individual ADT twins and maybe even on twin properties?

I'm looking forward for you answer :)

best regards,
Chris

Azure IoT
Azure IoT
A category of Azure services for internet of things devices.
382 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2022-08-31T06:26:04.47+00:00

    Hello @QuantumCache
    yes, I considered that. I concluded marker tags are not sufficient.

    The Advantage of ADT and ADX is to give the user a broad range of query options. I as a developer can't foresee all these options. Our team decided that we want to enable the user (who is also an engineer in most cases) has access to write his own ADT and ADX Queries. As Marker Tags don't restrict access they are not sufficient for our application. No single user will be allowed access to all data. This is due to legal reasons in respect to European General Data Protection Regulation Law.

    In my oppinion there is currently no solution to my usecase. So I created a feature request: https://feedback.azure.com/d365community/idea/a1fc015b-c922-ed11-a81b-6045bd8606d4

    1 person found this answer helpful.
  2. QuantumCache 20,031 Reputation points
    2022-08-16T13:28:34.443+00:00

    Hello @Anonymous Thanks for reaching out on this forum.

    Could you please confirm what kind of actions does your audience or the users are going to perform? such as read or write or any other specific which are not mentioned in the documentation?

    Is it only specific permission for query?

    • Models: The actions for this resource dictate control over models uploaded in Azure Digital Twins.
    • Query Digital Twins Graph: The actions for this resource determine ability to run query operations on digital twins within the Azure Digital Twins graph.
    • Digital Twin: The actions for this resource provide control over CRUD operations on digital twins in the twin graph.
    • Digital Twin relationship: The actions for this resource define control over CRUD operations on relationships between digital twins in the twin graph.
    • Event route: The actions for this resource determine permissions to route events from Azure Digital Twins to an endpoint service like Event Hubs, Event Grid, or Service Bus.