Roles and access control¶
trustmint’s thing services are headless backend services — they have no UI of their own.
They expose REST APIs (via KrakenD at api.flexgalaxy.ai, and via the console gateway for
tenant frontends) that are consumed by multiple frontend apps and external partner systems.
This page describes the role model, the permission-boundary model, how authorization is fully delegated to the DotID policy-engine, and the frontend apps that consume trustmint APIs.
Roles¶
Role |
Responsibility |
Access method |
|---|---|---|
Device Manufacturer |
Enrolls and provisions devices, manages device inventory and registrars |
ThingMake + ThingHub ( |
Tenant User |
Views and organizes devices in the account’s repository, manages scopes |
ThingHub + API |
Platform Admin |
Registrar governance (approve/reject), cross-account device management |
Arsenal + DeckLoader (StarGate) |
A single account may hold multiple roles. A “role” is just a label that determines which DotID policy set applies — there is no RBAC entity in trustmint.
Permission-boundary model¶
When an account subscribes to trustmint and declares its role(s), the platform automatically assigns the appropriate permission boundaries — no manual setup for the common case.
Account subscribes to trustmint
│
├── Declares role: Device Manufacturer
│ └── Auto-assign: devices.read, devices.write, events.read, certificates.read
│
├── Declares role: Tenant User
│ └── Auto-assign: devices.read, events.read
│
└── Declares both
└── Auto-assign: union of both permission sets
Permission boundaries map to DotID’s policy-based access-control model — each role declaration triggers assignment of the corresponding managed policy set. Platform administrators can override permission boundaries manually for edge cases (via SuperCrew).
IAM separation¶
trustmint does not handle identity or access management:
Access keys and secret keys are created and managed by users self-service through AdminCenter (
console.flexgalaxy.ai/admincenter/, Service Users page). They sign the factory surface with FGAI-HMAC — see Registration.Authentication is Keycloak — trustmint services are pure OAuth2 Resource Servers; the JWT is the authentication credential only.
Authorization is delegated centrally to the DotID policy-engine (below).
Tenant and platform tools¶
The frontends that consume the trustmint APIs:
ThingHub¶
URL:
console.flexgalaxy.ai/thinghub/KC client:
thinghub(flexgalaxy realm)Audience: Tenants
The repository + scope management app: repository listing, scope things management, and a registrar browser with saved filters. (Enrollment lives in ThingMake.)
ThingMake¶
URL:
console.flexgalaxy.ai/thingmake/KC client:
thingmake(flexgalaxy realm)Audience: Device manufacturers
The manufacturer console: enroll things, provision, and manage registrars. See Registrar/ThingMake/Arsenal.
AdminCenter¶
URL:
console.flexgalaxy.ai/admincenter/Audience: Tenants
IAM self-service: users, groups, policies, and access keys (Service Users page).
Arsenal¶
URL:
stargate.flexgalaxy.ai/arsenalKC client:
arsenal(master realm)Audience: Platform admins
Registrar governance: approve/reject registrar creation and registrar-access requests.
DeckLoader¶
URL:
stargate.flexgalaxy.ai/deckloaderKC client:
deckloader(master realm)Audience: Platform admins
Platform-wide device management across all accounts: cross-account inventory + search, status monitoring, enrollment statistics, and device lifecycle actions (suspend, revoke, transfer).
SuperCrew¶
URL:
stargate.flexgalaxy.ai/supercrewAudience: Platform admins
IAM platform administration and permission-boundary overrides.
Tool summary¶
Tool |
Gateway |
Audience |
Responsibility |
|---|---|---|---|
ThingHub |
Console |
Tenants |
Repository + scope management |
ThingMake |
Console |
Tenants |
Device enrollment + provisioning + registrars |
AdminCenter |
Console |
Tenants |
IAM self-service: users, groups, policies, access keys |
Arsenal |
StarGate |
Platform admins |
Registrar governance (approve/reject) |
DeckLoader |
StarGate |
Platform admins |
Platform-wide device management |
SuperCrew |
StarGate |
Platform admins |
IAM administration, permission-boundary overrides |