Access Management
Configure access control in TelemetryOS
User & Access Management
TelemetryOS uses role‑based access control (RBAC) so teams can collaborate safely while protecting production systems. Instead of assigning permissions user‑by‑user, you organize people into groups that reflect responsibilities, and those groups carry permission sets. This keeps access predictable as your organization grows and makes audits straightforward.
Access model
RBAC in TelemetryOS centers on groups that define what members can see and do across content, applications, devices, and administration. Membership can be managed directly in the administration interface. Permissions are evaluated according to least privilege, so users receive only the access that their assigned groups grant. All sign‑ins and sensitive actions are logged, giving you a clear audit trail for operational and compliance needs.
Identity and authentication
TelemetryOS supports several sign‑in methods enabling security posture matching. Passkeys provide passwordless, phishing‑resistant login using device biometrics or hardware security. OAuth with Google or GitHub suits teams already standardized on those providers. Email and password are available as a universal fallback and should be paired with multi‑factor authentication (MFA) where passkeys are not in use.
| Method | Best for | Security notes |
|---|---|---|
| Passkeys (passwordless) | Broad user base on supported devices | Phishing‑resistant; device‑bound credentials; recommended default |
| Google / GitHub OAuth | Teams standardized on those providers | Inherits provider policies; convenient for technical users |
| Email + Password | Universal fallback | Require periodic rotation |
Provisioning and lifecycle
Most teams invite users by email so accounts appear automatically on first sign‑in. For high‑control environments, administrators can create accounts directly and enforce re‑authentication for sensitive changes. When someone leaves a team, disabling the account (or removing the group membership that grants access) is immediate and reversible, and it preserves audit continuity. Larger organizations often automate changes using the API or SCIM so access aligns with HR systems.
Groups and permission design
Groups work best when they mirror real‑world responsibilities. A content‑focused group can publish playlists and manage media without touching device settings. An operations group can monitor devices, apply overrides, and perform safe bulk actions. Administrative groups handle billing, user management, and integrations. Keeping these areas distinct reduces accidents and makes least‑privilege practical day to day.
| Role | Typical scope | Primary users |
|---|---|---|
| Content Manager | Media library, playlists, templates | Marketing and communications |
| Developer | Applications, SDK, API configuration | Engineering and technical teams |
| Operations | Devices, monitoring, emergency overrides | IT and field operations |
| Administrator | Global administration and governance | Platform owners |
| Viewer | Read‑only visibility | Stakeholders and auditors |
Governance and best practices
Adopt simple rules that scale: grant the minimum permissions needed, separate duties between content, operations, and administration, and review membership on a regular cadence. Require MFA (or passkeys) for elevated roles and use shorter session lifetimes for administrators. If your security model benefits from network controls, consider IP allowlisting for the administration interface, recognizing that identity‑based controls should remain primary. Rotate API keys, retire unused accounts promptly, and export audit logs to your SIEM when centralized visibility is required.
Common organizational patterns
Agencies or MSPs that serve multiple brands often use a single tenant with clearly separated groups for each client, along with content folders and device groups that match that structure. Franchise models typically grant corporate teams global brand control while allowing franchisees localized content and device management. In both cases, groups and folders mirror the organization so access is intuitive and auditable.
Compliance and audit
TelemetryOS maintains a SOC 2 control environment through TelemetryTV. Authentication events, permission changes, content publications, and device actions are recorded for review. Retention defaults meet common audit needs and can be extended for Enterprise customers. For deeper integration, export logs to your SIEM to unify visibility across systems.
For sign‑in options, see Authentication & Login.
Updated 7 days ago