Allowing access to account to a third party using the permissions system

johnniewalker.email · October 17, 2019, 6:57pm

We need to allow access to our info-beamer account to third parties.

Is there a way to limit access to an individual device, or group of devices, and allow content to be added/updated, without having access to other sensitive areas of the account?

We ideally need a method of allowing external users the ability to add/update their own content to a setup, without changing other aspects of the setup/content.

Something like the scroller addon, but allow content to be sent from an external source, maybe rss or similar?

Thanks

infobeamer-fw · October 18, 2019, 7:06am

All access to your account is controlled by “access control lists” (ACL). If you want to create a new restricted access, the first step would be to create a new one. By default it’s empty and thus doesn’t allow any access at all:

This is where policies become important: They define the allowed actions. There are a bunch of managed policies for some use cases, but you can also create your own, if you want to customize. The best way to create the minimal set of permissions required is to use a whitelist approach: Only specify actions you intend to allow. As an example: Drap/Drop or click on the Device list/read policy to add it to your newly created ACL, then click Save ACL.

If you then a user to your account, he/she will only be able to use the Devices tab to inspect what the devices are doing. All other access to your account will be denied. If you want to test an ACL, the easiest way it to create a new self-access by clicking on Create new access… on the access to account page: Give the new access a name and aelect your new ACL, the click Create access.

Click on the gray “Switch accounts” area in the top right corner (or the “Switch accounts” item in the top right menu). Then click on the Switch to this access button of your newly created access:

You will be redirected to the dashboard, but now you don’t have full access but one that’s restricted according to the ACL you created. This allows you to test an ACL before you assign it to an invited user.

Let’s say you want to allow full access to certain devices (like those with a description starting with Development/*). First switch back to your full access by clicking on the top right corner “Switch access” button and select the “Full access to your account” access. Then create a new policy with the following content:

{
  "Statements": [
    {
      "Action": "device:*",
      "Condition": {
        "StringLike": {
          "device:description": "Development/*"
        }
      },
      "Effect": "allow"
    }
  ],
  "Version": 1
}

and give the policy a name, then click on Save:

Finally go to your ACL and drag/drop or click on the new policy to add it to your ACL and again click on Save. The "Condition" in the policy describes when new policy is active. In this case, it is only active for devices with a description starting with "Development/". The "Action" then specifies what is allowed in that case. In this example the user of that ACL can fully edit devices (so rename, delete or reboot them for example).

That’s a general introduction into show to use the permission system. It’s not possible unfortunately to restrict what can be changed within a single setup. So you cannot only allow access to certain options within a setup for example. But if you have an ad.jpg image assigned to a setup, you can use the permission system to allow a user to only replace exactly that single file.

Let me know if that all was a bit helpful and I can always explain more if needed.

johnniewalker.email · October 18, 2019, 8:27am

Thanks for that guide, yes it’s helpful

One thing I’m still confused about is that after creating a new access with ACL/Policies, how do I actually create an account for another person to login and use?

Does the other person need to already have an info-beamer account and they get invited by their email address?

infobeamer-fw · October 18, 2019, 8:43am

Exactly. You can only invite existing users.

ben.davies · April 19, 2022, 8:01pm

This has been helpful in getting to the point of granting another user access to my account, but I’m struggling as to granular control. e.g. I would like another user to upload/manage content, see the snapshot but not be able to reboot or delete a device. Have played with the Policies and checked the Documentation but appear to be missing a trick?

infobeamer-fw · April 20, 2022, 10:27am

If you want to partially allow access, you’ll have to create a new ACL. Go to https://info-beamer.com/permissions/acl, click Create ACL and give it a name and click Create. Then click on your new ACL to get to the screen that allows you to assign policies to your new ACL.

In your case you want to add the following predefined policies:

Device list/read
Package list/read
Asset administration
Setup administration

When done, click on Save ACL. Then go back to https://info-beamer.com/permissions/access. The account accessing your account is listed under “Access by other account”. Click on its Access actions button and select “Edit…”. In the popup there is a ACL dropdown. Select the ACL you created earlier and click on Save and apply.

The user can now manage setups and assets, but cannot modify packages or devices.

Let me know if that worked.

ben.davies · April 30, 2022, 9:00am

Thank you!
Exactly what I was after.
Much appreciated.

ben.davies · August 1, 2022, 7:12pm

I have been playing with Setup / Schedule feature.
All is well but wondering if there is a policy that can be added to an ACL to allow another Account make changes to the Schedule?
Thanks, Ben.

infobeamer-fw · August 2, 2022, 9:03am

Yes. That’s is indeed possible, but there hasn’t been any ready-to-use policies for that yet. They now exist. See Schedule administration and Schedule list/read in the policy list.