Skip to content

Identity Management


The Identity Management Service manages tenants, users and groups within the MindSphere platform. It enables customers to access the User Accounts and Authentication (UAA) service used within MindSphere for identity management and authorization.



A tenant is an organization-specific logical environment for your data. A tenant typically represents a legal entity, such as a company or corporation. MindSphere is a multi-tenant architecture.

A tenant comprises up to two zones for identity management and access control:

  • User zone
    Each tenant has a user zone. It enables users of the tenant to log in and use applications the company has subscribed. Administrators of tenants can manage the users and assign roles in the user zone, to provide users with access to subscribed applications.

  • Provider zone
    The provider zone represent an additional environment required for web application and API development and operation. Each DevOps plan tenant has an additional provider zone, which stores all access-management-related information required for either development or operationsy (e.g., roles, permissions, applications, technical users).

As tenant names are global resources, they must be unique across all MindSphere tenants.

Each user tenant needs to define at least one administrator for managing the users and roles of this tenant.

Users and groups

Every tenant has its own users and has roles available depending on the applications subscribed. A role hereby represents a grouping of permissions required to access an application. By modeling roles as SCIM groups, the User and Roles management in MindSphere follows the SCIM standard (System for Cross-domain Identity Management).

Currently, within the user zone, SCIM groups only are used to represent roles.

In addition, SCIM groups may represent user groups (for managing sets of users), data groups (for managing end customer access to data, assets, etc.) and permissions (for managing more fine-grained access to resources, only within provider zone of a tenant),

Roles and scopes

The following information is relevant for tenants with a provider zone only.

If you expose an API for your web application, scopes define the application specific-permissions. Scope names typically reflect these permissions in a syntax like

<api name>.<permission/action>

Here are examples for the CRUD-permissions of an IoT service:

  • iot.c (permission to create objects in IoT)
  • iot.r (permission to read objects in IoT)
  • iot.u (permission to update objects in IoT)
  • iot.d (permission to delete objects in IoT)

Scopes are mapped to a specific role. A role name has the following syntax:

mdsp:<tenant name>:<application/api name>.<role name/action>

So all scopes above could be mapped to a role called


Application-specific roles and scopes are defined in provider tenants and can be managed within the developer cockpit application. See also HowTo Cloud Foundry application.

OAuth Client

The following information is relevant for tenants with a provider zone only.

An OAuth client (also called technical user) allows your application to acquire a token to access protected resources -- without the need of an interactive user currently using your application.

An OAuth client is useful, for example, for (a) doing regular background activities (batch activites) within your application or (b) if your application is not hosted behind MindSphere Gateway and therefore does not find interactive user tokens in request headers. OAuth clients are defined within the provider zone of your tenant and comprise a client id and client secret, which allow to obtain a token using the client credentials grant (RFC 6749).

OAuth clients for your provider tenant can be aquired as described in the HowTo self-hosted application.


The Identity Management Service exposes its API for realizing the following tasks:

  • List all users of a tenant.
  • Create, get, update, delete users of a tenant.
  • Get all roles the own user has assigned.
  • List all SCIM groups of the user zone of a tenant.
  • Create, get, update, delete SCIM groups of the user zone of tenant.
  • List, add, remove members of a SCIM group of the user zone of tenant.

Example Scenario

The administrator of a brewery wants to prepare the tenant for the new developers of their web application.

Use the Identity Management Service to populate the tenant with new users and assign them the roles required for development (e.g., mdsp:core:StandardUser, mdsp:core:Developer).


To use the identity management API to manage the user zone of a tenant, a basic IoT value plan subscription is required.

API Specification

Download OpenAPI Specification

Any questions left?

Ask the community

Except where otherwise noted, content on this site is licensed under the MindSphere Development License Agreement.