Users and Security
Smartonlabs strive to achieve maximum level of security and privacy protection.
We design a custom security model that is optimal for both residential and enterprise users.
Passwordless Design
The first user who initially setup the Hub is the administrator of the Hub (Hub Admin).
Only one master password is required for Hub recovery. Master password never leaves your home.
Hub admin manages mobile device accesses for each user. Each device has its own encryption keys. Mobile access can be easily added/removed.
In another word, except for the initial admin, all other users (including additional admins) don’t need a password. Authentication and authorization is bound to their mobile devices, e.g. Smartphones.
So the problem is reduced to how to distribute the unique encryption key for each mobile device. Read “Manage Mobile Device Access” for more details.
User and Group List
The screen lists all users and groups defined in the system.
Icons marked red are with super user (administrator) privileges.
Security Model
User and Group
Group is a list of users.
Privileges
A user or group may have special privileges.
- System Admin - Super user. A super user has maximum privileges.
- Add Device - The user/group can add new devices to system.
- Add App - The user/group can add new App to system.
- Add App Task - The user/group can add new App Task to system.
- Add Scene - The user/group can add new Scene to system.
- Add User - The user/group can add new user to system.
- Account Enabled - The account is enabled.
Access Control
User/Group may have a list of access to other Libertas-things, such as devices, apps, tasks, and users.
- Read
- For devices, get status
- For other Libertas-things, know the existence
- Control
- For devices, control
- For tasks, turn on/off
- For users, send messages
- Remove; user can remove this object from system
- Config; user can manage the object
- For devices, change attributes
- For tasks, edit the task arguments
- For users, change user attributes; for groups, edit the group members
System Objects
Access control may be defined on types of Libertas-things below:
- Devices
- Logical Devices
- Apps
- Tasks
- Users
Group Privileges/Accesses is Recommended
Inheritance
A user inherits privileges and permissions of all groups the user belongs to.
Note: Use of groups to assign permissions and access controls is recommended.
Privilege Inheritance
In stead of assigning “System Admin” privilege to individual users, it’s recommended to define an “Administrators” group, assigning “System Admin” privilege to the group.
Every user in that “Administrators” group will inherit the “System Admin” privilege.
Access Inheritance
Assuming we have a light named “Front Yard” in the system, if we assign “Read/Write” access of the light to the “Users” group, then every member of “Users” will be able to “Read/Write” the light, meaning getting status and control.
Simplified Security Model for Residential User
- Residential setup can have 3 groups:
- Administrators
- Users
- Guests
Special Notes on Combined Inheritance
A user may be member of more than one groups. The privileges and accesses defined in different groups may be different. The inheritance rules still apply, by combining all privileges and accesses.
Account Enabled
If this flag is unchecked, user will not be able to login to the system.
**Note if a group is disabled, all members (including indirect members through nested sub-groups) will be denied login.
If a user belongs to two groups, and one group is disabled, the user will be disabled, even though another group is not disabled. “Account Enabled” flag is more stringent than other flags.**
Grayed Out Privileges
A privilege may be displayed grayed out. It is because the user/group inherits that privilege from parent groups.
Grayed Out Accesses
An access may be displayed grayed out. It is because the user/group inherits that access from parent groups.