Abstract: Isolating resources between sub-entities. A method includes receiving data from a particular connected device. A memory storing a hierarchical graph that defines a topology for an entity is accessed. Branches or leaves in the graph include a node that represents a connected device, such as a sensor, controller, or computing system. Each connected device is configured to provide data or receive control signals. Each of the branches or leaves can be indicated as belonging to a particular sub-entity. A particular branch from the hierarchical graph having the particular connected device is identified using the graph. A sub-entity to which the particular branch belongs is identified. The method identifies that the particular sub-entity should be isolated from other sub entities. The data from the particular connected device is provided to a set of resources specifically allocated for the particular sub-entity.

Abstract: Enforcing role assignment permissions. A method includes receiving an access request from a given role entity for access to a resource. A hierarchical graph that defines a topology for an entity is accessed to determine a given node associated with the given role entity. One or more ancestor permissions, applying to nodes hierarchically higher in the graph than the given node, and one or more local permission, applying to nodes hierarchically lower in the graph than the given node, are accessed. The method includes determining that the role entity has permission from at least one of the ancestor permissions or the local permissions to perform the access in the access request on the resource. As a result, the role entity is allowed to perform the access in the access request, on the resource.

Abstract: Isolating resources between sub-entities. A method includes receiving data from a particular connected device. A memory storing a hierarchical graph that defines a topology for an entity is accessed. Branches or leaves in the graph include a node that represents a connected device, such as a sensor, controller, or computing system. Each connected device is configured to provide data or receive control signals. Each of the branches or leaves can be indicated as belonging to a particular sub-entity. A particular branch from the hierarchical graph having the particular connected device is identified using the graph. A sub-entity to which the particular branch belongs is identified. The method identifies that the particular sub-entity should be isolated from other sub entities. The data from the particular connected device is provided to a set of resources specifically allocated for the particular sub-entity.