Access and permissions

To access the Digital Twin Registry in your tenant’s workspace, you need — besides access to the tenant itself — the corresponding roles to work with the Digital Twin Registry.

Your tenant manager can grant you access and permissions, also for technical clients (technical users). As a tenant manager, handle user management with the Multitenant Access Control portal.

Available default roles for Digital Twin Registry:

Digital Twin Registry for Twins:

Name Description Role key

Name	Description	Role key
Twin Viewer	Required to see the application and its contents in your tenant’s workspace. With only that role, users can browse the Digital Twin Registry for Twins.	`VIEWER`
Twin Manager	Additionally, with this role, users have Write permissions for Twins.	`TWIN_MANAGER`
Aspect Operator	With this role, users have Write permissions for the Aspect APIs of the Twins.	`ASPECT_OPERATOR`

Twin Viewer

Required to see the application and its contents in your tenant’s workspace.
With only that role, users can browse the Digital Twin Registry for Twins.

VIEWER

Twin Manager

Additionally, with this role, users have Write permissions for Twins.

TWIN_MANAGER

Aspect Operator

With this role, users have Write permissions for the Aspect APIs of the Twins.

ASPECT_OPERATOR

Digital Twin Registry for Asset Administration Shells:

Name Description Role key

Name	Description	Role key
AAS Viewer	Required to see the application and its contents in your tenant’s workspace. With only that role, users can browse the Digital Twin Registry for Asset Administration Shells.	`AAS_VIEWER`
AAS Manager	Additionally, with this role, users have Write permissions for Asset Administration Shells.	`AAS_MANAGER`
Submodel Access Reader	With this role, users have Read permission for the AAS submodel-descriptor access endpoint. Only required for Eclipse Dataspace Connector (EDC) clients.	`SUBMODEL_ACCESS_READER`
AAS EDC BPN Viewer	With this role, users have access-controlled Read permission for AAS resources in combination with EDC-BPN Header. Resource visibility depends on defined access rules. Only required for Eclipse Dataspace Connector (EDC) clients.	`AAS_EDC_BPN_VIEWER`

AAS Viewer

Required to see the application and its contents in your tenant’s workspace.
With only that role, users can browse the Digital Twin Registry for Asset Administration Shells.

AAS_VIEWER

AAS Manager

Additionally, with this role, users have Write permissions for Asset Administration Shells.

AAS_MANAGER

Submodel Access Reader

With this role, users have Read permission for the AAS submodel-descriptor access endpoint. Only required for Eclipse Dataspace Connector (EDC) clients.

SUBMODEL_ACCESS_READER

AAS EDC BPN Viewer

With this role, users have access-controlled Read permission for AAS resources in combination with EDC-BPN Header. Resource visibility depends on defined access rules. Only required for Eclipse Dataspace Connector (EDC) clients.

AAS_EDC_BPN_VIEWER

Async Digital Twin Registry:

Name

Description

Role key

Message Operator

With this role, users have Read permission for message client credentials.

MESSAGE_OPERATOR

As a developer, note that the URN (included in the token) for a role gets constructed as follows:

urn:macma-application-role:<tenant-id>:<client-id>:<role-key>

The placeholders mean:

<tenant-id> — Your tenant ID.
<client-id> — Part of the credentials for your technical client. The client credentials were created when the corresponding module was created. See also Modules: Grant access for technical clients.
<role-key> — Is indicated for each role in the role overview.