Roles and access control

trustmint’s thing services are headless backend services — they have no UI of their own. They expose REST APIs (via KrakenD at api.flexgalaxy.ai, and via the console gateway for tenant frontends) that are consumed by multiple frontend apps and external partner systems.

This page describes the role model, the permission-boundary model, how authorization is fully delegated to the DotID policy-engine, and the frontend apps that consume trustmint APIs.

Roles

Role

Responsibility

Access method

Device Manufacturer

Enrolls and provisions devices, manages device inventory and registrars

ThingMake + ThingHub (console.flexgalaxy.ai/…) + API

Tenant User

Views and organizes devices in the account’s repository, manages scopes

ThingHub + API

Platform Admin

Registrar governance (approve/reject), cross-account device management

Arsenal + DeckLoader (StarGate)

A single account may hold multiple roles. A “role” is just a label that determines which DotID policy set applies — there is no RBAC entity in trustmint.

Permission-boundary model

When an account subscribes to trustmint and declares its role(s), the platform automatically assigns the appropriate permission boundaries — no manual setup for the common case.

Account subscribes to trustmint
     │
     ├── Declares role: Device Manufacturer
     │     └── Auto-assign: devices.read, devices.write, events.read, certificates.read
     │
     ├── Declares role: Tenant User
     │     └── Auto-assign: devices.read, events.read
     │
     └── Declares both
           └── Auto-assign: union of both permission sets

Permission boundaries map to DotID’s policy-based access-control model — each role declaration triggers assignment of the corresponding managed policy set. Platform administrators can override permission boundaries manually for edge cases (via SuperCrew).

IAM separation

trustmint does not handle identity or access management:

  • Access keys and secret keys are created and managed by users self-service through AdminCenter (console.flexgalaxy.ai/admincenter/, Service Users page). They sign the factory surface with FGAI-HMAC — see Registration.

  • Authentication is Keycloak — trustmint services are pure OAuth2 Resource Servers; the JWT is the authentication credential only.

  • Authorization is delegated centrally to the DotID policy-engine (below).

Authorization is delegated to DotID’s Policy Decision Point

Per ADR-0004, every trustmint authorization decision is delegated to DotID’s policy-engine via a canPerform(action, resource) contract. trustmint code MUST NOT inspect realm_access.roles, resource_access, or any other Keycloak claim to make an authorization decision. The JWT is authentication; it carries no authorization data trustmint reads.

canPerform(action, resource) → DotID policy-engine (PDP)
  • action is a namespaced verb the operation requires (e.g. registrar:create, provisioning_run:list_all).

  • resource is an opaque FRN or null for global operations.

  • The PDP evaluates the caller’s permission-set assignments and returns allow/deny; callers see only a boolean.

Two migration shapes exist and only these two: a boolean gate (reject if not allowed) and scope widening (admin sees all, user sees own — keep the branch, replace only the boolean). See ADR-0004 for the full contract, anti-patterns, and end state.

Fail-closed. If the policy-engine is unreachable, the client SDK fails closed (deny). A brief 503 on writes is preferable to silent privilege escalation. The SDK implements caching, timeouts, and retry to keep the hot path responsive.

Tenant and platform tools

The frontends that consume the trustmint APIs:

ThingHub

  • URL: console.flexgalaxy.ai/thinghub/

  • KC client: thinghub (flexgalaxy realm)

  • Audience: Tenants

The repository + scope management app: repository listing, scope things management, and a registrar browser with saved filters. (Enrollment lives in ThingMake.)

ThingMake

  • URL: console.flexgalaxy.ai/thingmake/

  • KC client: thingmake (flexgalaxy realm)

  • Audience: Device manufacturers

The manufacturer console: enroll things, provision, and manage registrars. See Registrar/ThingMake/Arsenal.

AdminCenter

  • URL: console.flexgalaxy.ai/admincenter/

  • Audience: Tenants

IAM self-service: users, groups, policies, and access keys (Service Users page).

Arsenal

  • URL: stargate.flexgalaxy.ai/arsenal

  • KC client: arsenal (master realm)

  • Audience: Platform admins

Registrar governance: approve/reject registrar creation and registrar-access requests.

DeckLoader

  • URL: stargate.flexgalaxy.ai/deckloader

  • KC client: deckloader (master realm)

  • Audience: Platform admins

Platform-wide device management across all accounts: cross-account inventory + search, status monitoring, enrollment statistics, and device lifecycle actions (suspend, revoke, transfer).

SuperCrew

  • URL: stargate.flexgalaxy.ai/supercrew

  • Audience: Platform admins

IAM platform administration and permission-boundary overrides.

Tool summary

Tool

Gateway

Audience

Responsibility

ThingHub

Console

Tenants

Repository + scope management

ThingMake

Console

Tenants

Device enrollment + provisioning + registrars

AdminCenter

Console

Tenants

IAM self-service: users, groups, policies, access keys

Arsenal

StarGate

Platform admins

Registrar governance (approve/reject)

DeckLoader

StarGate

Platform admins

Platform-wide device management

SuperCrew

StarGate

Platform admins

IAM administration, permission-boundary overrides