Restrict another account to devices and setups

nxpi · August 17, 2023, 8:42pm

Hi All,

I have been poking around with attempting to restrict another accounts access to list certain devices and setups but are not having much luck.

I have followed the docs and another post I found but no luck.

I have edited the device description, also , any filtering I have done in the json as far as condition and namelike still does not show any devices, I take the condition out at it lists all devices for the user account.

What am I missing?

Marketing-Devices

Device name is: “Marketing/NZRDRMNXPI01”

infobeamer-fw · September 8, 2023, 4:12pm

The problem is that the permission feature cannot be used to restrict visibility within listings. It can only be used to control which operations as allowed/denied.

All the object listings, for example ‘List of assets’, will return all assets. The permission feature can then implement restrictions on which of those assets can be viewed in detail, deleted or updated, but it cannot prevent a user from listing all available assets. Same is true for all other listings like devices/setups or packages.

The reason is that otherwise all kinds of stuff easily breaks: For example a user might have permissions to edit a setup, but then cannot list all assets used already added to such a setup.

nxpi · September 13, 2023, 12:18am

Hi Thanks for the reply.

I have since attempted to restrict access, (still listing all devices) using the JSON in my original post - however, when I apply this to the invited user account, they do not see any devices…

I.e give access to the top two devices only. Listing the rest is fine.
Any assistance would be appreciated.

Screenshot 2023-09-13 121638

infobeamer-fw · September 13, 2023, 12:17pm

For mostly historical reasons, right now accessing a device’s detail page also required access to the setup details of the setup running on the device, so the page can show that information. I’ll see that this behavior is removed so the permission is no longer needed.

Until then it can be fixes as follows. In the policy that grants access to the devices, also add another section that grants access to the setups used by your marketing department. I’ve added a new policy (prefixed [info-beamer support], feel free to rename) in Login - info-beamer for that:

{
  "Action": "setup:detail",
  "Condition": {
    "StringLike": {
      "setup:name": "*Advertising*"
    }
  },
  "Effect": "allow"
}

If you add that to your ACL, the device detail page should work. By the way: What’s helpful while testing ACLs is to create a self-access to your account on the access page, assign that the ACL your testing and then instantly switch between that and your main account using the “Switch account” tab at the top right:

infobeamer-fw · September 13, 2023, 5:24pm

This is fixed now. So the workaround is no longer needed and your existing permission setup should work now.

nxpi · January 24, 2024, 11:56pm

Thanks, sorry I have just jumped back onto this.
I am still having an issue with ACL’s (Likely something very wrong with what i’m doing)

As per post, just attempting to restrict access to all devices apart from those matching description i.e:

I have one ACL to list the devices:

{
  "Statements": [
    {
      "Action": [
        "device:list"
      ],
      "Effect": "allow"
    }
  ],
  "Version": 1
}

another ACL to allow edit on the condition the description contains “AKL Drums” (*)

{
  "Statements": [
    {
      "Action": "device:*",
      "Condition": {
        "StringLike": {
          "device:description": "AKL Drums/*"
        }
      },
      "Effect": "allow"
    }
  ],
  "Version": 1
}

Top two devices i’m attempting to target access to

Currently with the above, I can list but not edit any.

infobeamer-fw · January 25, 2024, 6:30pm

I think you’re matching on “description” when you should match the “location” of a device? Matching the location to “AKL Drums - *” should work.

nxpi · January 28, 2024, 11:51pm

Thanks!, thought it would be something stupid on my part.
Now im underway!, able to sort Device, setup and asset restrictions

sander.juss · April 19, 2024, 11:21am

Hi

I’m trying out this ACL thing as well and i am trying to grant access to only 1 device and 1 setup and all assets for a few people so they cant mess with other devices and setups.

{ 
  "Statements": [ 
    { 
      "Action": "device:*",
      "Condition": { 
        "StringEquals": { 
          "device:description": "Peaukse ekraan"
        } 
      },
      "Effect": "allow"
    },
    { 
      "Action": "setup:*",
      "Condition": { 
        "StringEquals": { 
          "setup:name": "Tolstoi peauks"
        } 
      },
      "Effect": "allow"
    } 
  ],
  "Version": 1 
}

Captureewf4

But when ever i add any kind of condition anywhere it seems to deny access to all devices and setups.

infobeamer-fw · April 19, 2024, 11:44am

This policy on its own doesn’t allow listing devices. The device list call required for that doesn’t have any description that might match, so the first statement in your example evaluates to false, thus denying access to list all devices. You can actually visit the device detail page for this device directly if you happen to know its url.

I suggest you keep the policy at it is, but also add at least the following additional policies to your ACL:

“Device list/read”
“Setup list/read”
“Asset list/read”

That way you can use the device/list view to browse devices.

sander.juss · April 19, 2024, 1:13pm

Thank you
Works perfectly now