Atria Dashboard Access Model

Overview

This document describes a simple tag-based access model for dashboards in the Atria application.

Users are identified by email
Each user has a list of dashboard tags
Each dashboard exists as a React route
A user can access a dashboard if and only if they have the matching tag

Example

User: a@b.com
Tags: [water-dashboard, gateways-dashboard]

Accessible Routes:
- /monitor/water-dashboard
- /monitor/gateways-dashboard

There is no additional mapping layer.
Tags == dashboard routes.

Core Concept

DynamoDB stores users and their tags
React routes are named to match tags
Authorization is performed by checking whether the user has the tag that matches the route

Frontend (React)

Purpose

Provide dashboard access based on the authenticated user’s tags.

Flow

User logs in via Amazon Cognito
Frontend calls GET /me/tags
Backend returns the user’s tag list
Frontend:
- Displays only dashboards the user has access to
- Prevents navigation to routes without matching tags

Routing Model

Each dashboard is a route that directly matches a tag:

/monitor/:dashboardTag

Examples:

/monitor/water-dashboard
/monitor/gateways-dashboard

UI Behavior

Dashboard List Page

No tags:
You currently don’t have access to any dashboards. Please contact your administrator.
Has tags:
- Render one dashboard card per tag
- Clicking a card navigates to /monitor/{tag}

Dashboard Page

On load:
- Verify the route tag exists in the user’s tag list
- If not, display an Access Denied message

Backend (AWS Lambda + API Gateway)

Purpose

Return the authenticated user’s dashboard tags
Allow admins to manage user tags
Serve dashboard data after access validation

API Endpoints

Endpoint	Method	Purpose	Auth

Endpoint	Method	Purpose	Auth
/me/tags	GET	Retrieve tags for logged-in user	User
/admin/tags	PUT	Set tags for a user (by email)	Admin
/dashboard/{tag}	GET	Retrieve dashboard data	User

Authorization Rule

A request to /dashboard/{tag} is allowed only if:

tag ∈ user.tags

DynamoDB Data Model

Table: UserTags
Stores users and their dashboard access tags.

Key Schema

Attribute	Type	Description

Attribute	Type	Description
PK	String	USER#<email>
SK	String	PROFILE

Attributes

Attribute	Type	Description

Attribute	Type	Description
Email	String	User email
Tags	String Set	Dashboard tags
UpdatedAt	Number	Epoch timestamp

Example Item

{
  "PK": "USER#a@b.com",
  "SK": "PROFILE",
  "Email": "a@b.com",
  "Tags": [
    "water-dashboard",
    "gateways-dashboard"
  ],
  "UpdatedAt": 1730836800
}

Dashboard Definition

Dashboards do not exist in DynamoDB as entities.

A dashboard is defined by:

A React route: /monitor/{tag}
A frontend component (e.g. WaterDashboard.jsx)
A backend data query tied to {tag}

Backend Data Access Flow

When /dashboard/{tag} is requested:

Lambda extracts the user email from Cognito
Fetches the user record from DynamoDB
Validates {tag} exists in Tags
If valid:
- Query AWS Timestream / DynamoDB
If invalid:
- Return 403 Forbidden

DevOps / Infrastructure

AWS Services

Amazon Cognito – Authentication
DynamoDB – UserTags table
AWS Lambda – API logic
API Gateway – HTTP endpoints
AWS Timestream – Time-series device data
Infrastructure as Code – CDK / Terraform / CloudFormation

IAM Permissions

Lambda	Required Permissions

Lambda	Required Permissions
/me/tags	dynamodb:GetItem
/admin/tags	dynamodb:PutItem, dynamodb:UpdateItem
/dashboard/*	dynamodb:GetItem, timestream:Query

Access Summary

Users have tags
Tags define dashboard access
Routes map directly to tags
No tag = no access

This approach is:

Simple
Explicit
Easy to secure
Easy to extend (add a dashboard = add a tag)