Sonicu's Blog

Understanding SoniCloud Users, Groups, Permissions and SSO

Written by Sonicu team | Jul 1, 2022 6:55:33 PM

SoniCloud offers users a multitude of options when it comes to platform customization, improving ease of use. 

SoniCloud implements a fine-grained, flexible permission structure to ensure that users can only see what they need to see and access what they need to access. 

This ensures your SoniCloud system stays in a regulatory-compliant setup with no upkeep. 

It’s important to understand how this system is implemented as you consider the SoniCloud system.

SoniCloud Users

SoniCloud users can view one (or more) sites, depending upon the size of their organization and what their permissions include. 

SoniCloud users log in via their email address and can have site-specific:

  • Alarm Notification Methods: These determine how a user can be notified about an alarm. 
  • SoniCloud supports email, SoniCloud Mobile push notifications, SMS, and phone calls. 
  • Alarm notification methods are set up by Manager and Admin permission level users for other users without those permissions, ensuring tiered alarming across an organization
  • Individual iOS and Android users can opt to receive push notifications when logging into the SoniCloud mobile app

Alarm Escalation Settings: Escalation settings allow alarm escalation to occur in a flexible manner, ensuring that the right people get alarm notifications at the right time. For example, maybe facilities teammates should receive immediate alarms, while department management is notified if alarms haven’t been acted upon within 12 hours. This is how alarm escalation adds an extra layer of asset protection 

Alarm Repeating Settings: Ensure an alarm is never missed by enabling repeating alarm notifications. All alarms that haven’t been resolved or snoozed can continue to send alarm notifications to users.

Alarm Notification Schedule: Set up flexible notification schedules and only get notified outside of work hours.

Groups and permission levels will be further explained below. 

Passwords

Passwords have a specified minimum length for added security, and require 1 or more upper-case letters, lower-case letters, numbers, and special/symbol characters.

Passwords will also expire and require a reset after a certain period, and accounts will be locked out following successive failed login attempts. The duration of these lockouts can be further customized.

Each SoniCloud user can belong to one or more groups 

These groups are assigned to a Zone, which gives users the ability to view points in that zone.

In the example above, there are two zones: 

  • Pharmacy Zone, consisting of the Pharmacy Fridge and Pharmacy Freezer
  • Dietary Zone: consisting of Dietary Fridge and Dietary Freezer

There are also three groups: 

Facilities, Pharmacy Managers, and Dietary Managers 

A user who belongs to the Pharmacy Managers group would only be able to see the points in the Pharmacy Zone.

A user who belongs to the Dietary Managers group would only be able to see the points in the Dietary Zone

A User who belongs to the Facilities group, however, would be able to see both the Pharmacy Zone and the Dietary Zone.  

This ensures each user only sees information relevant to them. 

SoniCloud Permission Levels

SoniCloud permission levels allow for fine-grained capabilities on a per-site basis. 

If a user has access to multiple sites, they can have different permissions levels for each site – for instance, a user may need to have Admin permissions at a central location, but only View permissions at satellite locations. 

Sonicu recommends limiting Manager and Admin permission levels to only critical teammates to ensure that changes aren’t made that unintentionally affect others in the system.

  • Basic: A User who has the capacity to view points, run reports, and view alarms. However, they cannot take action on said alarms.
  • View: User who can view points, run reports, and take action on alarms.
  • Manager**: View User permissions, plus the ability to edit View Users and control alarm notifications.
  • Admin: User who can manage alarms, reports, points, users, and the general configuration of the site.

These permissions levels are not enabled by default – contact Sonicu Support to determine if these permissions levels would be a benefit to your organization

SoniCloud Single Sign-On (SSO) Support: SoniCloud offers Single Sign-On (SSO) support via the Security Markup Language (SAML), the industry standard for logging in users to multiple applications via a single authentication method. 

SoniCloud leverages AWS Cognito as the SAML federation provider. This allows a customer to pair with SoniCloud and leverage SAML and their internal Active Directory (AD) implementation to provide SSO for SoniCloud. 

 Sonicu recommends SSO be enabled for all customers, as this allows customer IT to enforce desired security settings, including: 

  • Multi-factor authentication
  • Password complexity requirements
  • Password rotation requirements

 

Technical Setup Requirements: Enabling SSO starts with an exchange of technical contact information between Sonicu and the customer. 

 The customer will be asked to provide the following information:

  • SAML2.0 Metadata file
  • Enable the email address of the user to be sent via the `email` attribute
  • A list of domains that users will be registering with (ex. any subsidiary domains)
  • Is IdP Signout flow (SLO) desired?

 Sonicu will provide the following information:

  • ACS URL
  • Entity ID
  • Signed Responses: Not required
  • Name ID format: persistent

After this information is exchanged, a 30-minute meeting will be scheduled between Sonicu IT and the customer IT to enable SSO and validate the SSO connection. 

After this, all existing user accounts for the customer will be swapped to SSO.

What else changes with SSO?

Sonicu technical support will no longer be able to send password reset emails – this must be done via the customer’s IT processes. Customers must ensure that all users who may need SoniCloud access are added to the correct AD groups prior to having the users log in. 

To leverage the SoniCloud Mobile app, users will be required to follow the SSO flow on their mobile devices. If a user decides to use a personal mobile device (PMD), they must abide by their IT policy on PMDs.

Authentication vs Authorization

SoniCloud’s SSO implementation is limited to authentication – that is, SSO is utilized to determine if a user has met the requirements to be logged in. 

SoniCloud does not utilize SSO for authorization – that is, to determine which groups a user should be in (and, therefore, which points of monitoring they have access to). 

User authorization will still be handled by the permission levels and groups described earlier in this document.
View full post