How to achieve role hierarchy in Cumulocity

Question

I am facing a difficulty in creating a role hierarchy as it is required for my use case in Cumulocity. Basically, I want to show only child roles to a user having a parent role for example if I want admin to show only the distributor role which he/she can assign to any user and If the distributor is logged-in the he/she can see other roles below to them in the hierarchy.

Admin Role

------ Distributor Role

------------ Account user

------------ Tenant User

------------------- Device manager

------------------- Global reader

In the above expression, I want admin to show distributor only. Distributor will see only account and tenant user. Tenant user will get Device manager and global reader.

Can anyone suggest me how can I achieve this in Cumulocity.

Answer 1

I am not sure if I understand the use case entirely, but a few hints:

• In Cumulocity, permissions are inherited down any hierarchy. You cannot hide something deeper in the hierarchy if you see a parent (explicitly, to make permissions manageable). If you need such a setup, restructure the hierarchy and pull the children up.
• There are user hierarchies and inventory hierarchies. There are no role hierarchies in the Cumulocity definition of "role". (I assume that you refer to user hierarchies?)
• I would generally not recommend to model separate companies or legal entities in a single tenant. A tenant shares things like retention rules (hence data ownership) and business rules, which practically works across companies only for simple scenarios. Also, it is easy to make permission mistakes. For example, a distributor distributes devices to customers, and these customers are competitors. With a wrong permission setup, you can leak data between competitors, which is certainly not acceptable. A better setup is to use several tenants and potentially data broker to distribute selected data up the tenant hierarchy. Tenants are strictly isolated.