RBAC Robotics Platform SSO: Security for fleets

In operational practice, companies are often faced with the challenge that different employee groups require different levels of access to the robot fleet. A director of operations must view global performance data, while a local facilities manager is only allowed to adjust daily cleaning schedules. Without a structured role-based access control (Role-Based Access Control, RBAC), security gaps arise due to shared passwords or overprivileged user accounts.

werob solves this problem through a hardware-agnostic abstraction level. Since werob has over 44 different OEM partners in its catalog, it would be administratively impossible to maintain separate user systems for each type of robot. The werob platform bundles this complexity. RBAC ensures that the principle of least privilege is consistently implemented. This is particularly critical when humanoid robots or complex service units operate in publicly accessible areas such as hotels or nursing homes. Under no circumstances should unauthorized access to the control level be possible.

The implementation of RBAC by werob takes place in the Spec Engine phase. Within 48 hours, werob translates the operator's workflow into a technical specification that also defines the necessary role profiles. This ensures that regulatory requirements are part of the system design from the start.

Single Sign-On (SSO) is the key to scalability. As a company scales from a two-robot pilot to a full-scale fleet of 50 or more units, manual user management becomes a bottleneck. werob offers prefabricated connectors into the operator's existing IT stack. Whether Microsoft Azure AD, Okta or Ping Identity, the integration is seamless using industry standards such as SAML 2.0 or OpenID Connect.

The advantage for the operator is twofold. Firstly, security increases because if an employee leaves, their access to the entire robot fleet can be revoked centrally and immediately. There are no orphaned accounts on individual robot terminals. Secondly, acceptance among employees increases. If the nursing staff in a facility controls the robots for the medication round, which enables a cost reduction of €92,000 per location per year, access must be as barrier-free as possible. There is no need to log in again with cryptic passwords.

This depth of integration distinguishes werob from pure hardware resellers. While an OEM only secures its own system, werob provides the operational level for the entire fleet, regardless of whether robots from Keenon, Pudu or Boston Dynamics are in use. The werob Cockpit acts as a central entry point that verifies the user's identity and delegates the corresponding authorizations to the connected subsystems.

A crucial factor for the implementation of RBAC and SSO is the legal landscape in Europe. The new EU Machinery Regulation 2023/1230, which is mandatory from January 20, 2027, imposes stricter requirements on cybersecurity and protection against unauthorized interference. Robots that are classified as machines must be protected against corruption and manipulation. Unsecured access to the control interfaces can lead to liability for the operator.

werob offers the necessary compliance path here. By logging every access in the live cockpit and the strict separation of user roles, the system meets the requirements for traceability and integrity. This is particularly important in sensitive areas such as nursing, where home supervision and standards such as ISO 13482 strictly regulate the use of robotics. A revision log in the werob cockpit shows at any time who made which changes to the configuration and when.

In addition to the machine regulations, standards such as IEC 62443 apply for industrial cybersecurity. werob ensures that communication between the cockpit, the connectors and the robots is encrypted and that the identity verification via SSO meets the highest security standards. With werob, operators only pay when the system is running (outcome-only), which also includes the successful acceptance of the security and compliance structures.

The reality in modern companies is heterogeneous. A hotel might use Pudu robots for room service to achieve cost savings of €112,000 per year, but at the same time rely on specialized cleaning robots from another manufacturer. Without a higher-level platform like werob, the IT department would have to validate and maintain its own security concept for each manufacturer. This inevitably leads to security silos.

whoever breaks down these silos. The Supplier Match process ranks over 44 OEM partners against the customer's specific requirements, but the access level remains consistent. This means that the RBAC configuration is defined once in the werob system and applies to all connected robots. werob's connectors translate these central commands into the manufacturer-specific protocols.

This hardware agnosticism is a core differentiator. Operators are not tied to a single manufacturer (vendor lock-in), but can still enforce a consistent security policy across their entire fleet. Whether it's transporting laundry in a hospital or patrolling a security robot, identity control remains in the hands of the operator, managed via the werob Cockpit.

Security through RBAC and SSO is not an end in itself, but rather serves operational continuity. In logistics, incorrect operation by untrained staff can lead to downtimes that cost thousands of euros per hour. Precise role definitions minimize the risk of human error. An employee in the dishwashing room who operates a tray bot (cost reduction of €76,000 per year) only sees the start and destination buttons on his interface, while route planning remains blocked for him.

In the hotel industry, SSO enables quick training of seasonal employees. New employees don't have to be trained in five different robot systems. You log into the usual company portal and find the robot functions relevant to your shift. This significantly reduces the training effort and ensures that the targeted savings, such as €54,000 in bar and breakfast preparation, are actually realized.

Werob's commercial model supports this focus on results. Since customers only pay when the robot is in operation, werob bears the risk of integration. Providing a secure RBAC structure is part of the delivery promise: eight weeks from initial contact to productive use. During this time, not only will the robots be delivered, but the digital identities and access paths will also be neatly integrated into the operator stack.

The cockpit is werob’s central operating level. All data streams come together here. The integrated 4-dimensional traffic light system monitors hardware, infrastructure, regulations and compliance with the specification in real time. RBAC is the invisible layer that determines who sees which traffic light and who is allowed to intervene in the event of a disruption.

If a robot in a golf club reports a deviation when collecting balls (cost relief of €38,000), the responsible greenkeeper is informed via push notification. His access via SSO allows him to check the status and restart the robot if necessary. An external maintenance partner, on the other hand, receives access to the more detailed diagnostic data using the same login method, but without being able to view the club's operational plans.

This transparency is crucial for trust in the technology. The cockpit not only provides operational data, but also serves as an audit tool for the compliance department. Every interaction with the fleet is documented in an audit-proof manner. This is an essential part of werob's promise to translate an operator's workflow into a usable and safe robot specification.

A direct comparison illustrates the added value of an integrated RBAC and SSO solution compared to operating robots individually. In the traditional world, every new robot leads to an exponential increase in administrative complexity. At werob, the effort remains almost constant, regardless of the number of manufacturers or locations.

This comparison shows why who acts as a system integrator and not as a simple hardware dealer. Technical integration into the operator stack, for example in SAP EWM or Opera PMS, requires a consistent identity level that can only be guaranteed by a cross-platform solution like werob.

The path to a securely managed robot fleet is standardized and fast at werob. It all starts with the Spec Engine. Within 48 hours, the operational workflow is analyzed. The necessary roles and access authorizations are already defined. In this phase, it is also clarified which SSO standards are used in the company.

After the supplier match has identified the suitable robots from over 280 deployable models, the technical connection is made via the werob connectors. In this phase, the interfaces to systems such as PointClickCare or MatrixCare are activated and the identity verification is configured. The goal is a seamless transition from the manual process to the automated, safety-controlled fleet.

The finished offer is usually available in week five and the robot is in use in week eight. Since werob follows an outcome-only model, the successful integration of RBAC and SSO is a prerequisite for commercial completion. The operator does not take any financial risk until security and functionality have been proven in live operation. This guarantees maximum alignment with the customer's operational goals.