Hybrid Cloud Profile Setup

Semtech recommends setting up three types of profiles in the account: a “user” profile to manage device operations, configuration, and activity, an “authorizer” profile for authorizing operations, and an “administrator” profile for managing users in the system.

Semtech recommends that, at a minimum, separate “user” and “authorizer” profiles be set up in all Hybrid Cloud-enabled accounts. This prevents a single individual from making changes within ALMS and approving those changes so that they are sent to the devices. Providing a single user with both sets of rights would defeat the purpose of Hybrid Cloud and eliminate the layer of security that this feature provides. Having separate users and authorizers also prevents a “single point of intrusion” into your account where a compromise to an individual’s access credentials could render the system insecure. We also recommend that all users enable Two-Factor Authentication on their account (see Security in the Administration documentation.

The individual who is to be the “Authorizer” needs to install Fortify on their computer. See https://fortifyapp.com/#download_app . Fortify will run in the background while you authorize operations in ALMS Hybrid Cloud.

Initializing Table Of Contents...

Creating Profiles for Hybrid Cloud

Three profiles that have three distinct roles are recommended:

A “user” profile, which will have permission to do the routine tasks involved in maintaining the fleet: create operations, datasets, software updates, and so on. The user profile has no access to the Hybrid Cloud Authorize features.
An “authorizer” profile, which will be the security gatekeeper for the fleet, without permission to create operations, data sets or templates, but with permission to approve operations created by the users. This is a “View only” profile.
An “administrator” profile, which will have permission to control user rights and manage the creation of users on the platform. This user should be separate from the other two profiles, to maintain the integrity of the solution.

For more information, see ALMS Administration overview and Managing and editing profiles.

User Profile Examples

This example suggests the typical settings that you would give to a User account that will manage the day-to-day activities within ALMS. As with all user profiles, you should understand the specific details and disable any settings that this user does not require for your environment.

Accounts

Accounts settings are not applicable to Hybrid Cloud services.

Device

Under Device Management, select Actions.

Entities

You can configure the User profile as required (an example is shown on the right), but it is critical that Operations is set to Trigger (as indicated in the example) and that “Approve/Reject” is not selected.

Alerts: Select all
Alerts > Alert Rule: Select all
Applications: Select all
Datasets: Select all
Gateways: Select all
Gateways > Transfers: Select all
Operations: Trigger
Reports: Select all
Settings: Select all
Subscriptions: Select all
Subscriptions > Operations: Select all
Subscriptions > Usages: Select all
Systems: Select all
Systems > Change: Select all
Systems > Network: Select all
Systems > Data: Select all
Systems > Send: Select all
Systems > Settings: Select all
Systems > Transfers: Select all
Systems > Usages: Select all
Zones: Select all

Server

Notifications should be selected.

User Interface

Under Activities and Dashboards, select all.

Authorizer Profile Example

The Authorizer user profile should be set-up with “read only” access to the system, other than the Authorize functions.

Accounts

Accounts settings are not applicable to Hybrid Cloud services.

Device

Under Device Management, select Actions.

Entities

For the Authorizer profile, it is critical that all entities apart from Operations be set to View or left unconfigured. Operations much be set to Approve/Reject, as shown in the example on the right.