I have been poking around with attempting to restrict another accounts access to list certain devices and setups but are not having much luck.
I have followed the docs and another post I found but no luck.
I have edited the device description, also , any filtering I have done in the json as far as condition and namelike still does not show any devices, I take the condition out at it lists all devices for the user account.
The problem is that the permission feature cannot be used to restrict visibility within listings. It can only be used to control which operations as allowed/denied.
All the object listings, for example ‘List of assets’, will return all assets. The permission feature can then implement restrictions on which of those assets can be viewed in detail, deleted or updated, but it cannot prevent a user from listing all available assets. Same is true for all other listings like devices/setups or packages.
The reason is that otherwise all kinds of stuff easily breaks: For example a user might have permissions to edit a setup, but then cannot list all assets used already added to such a setup.
I have since attempted to restrict access, (still listing all devices) using the JSON in my original post - however, when I apply this to the invited user account, they do not see any devices…
I.e give access to the top two devices only. Listing the rest is fine.
Any assistance would be appreciated.
For mostly historical reasons, right now accessing a device’s detail page also required access to the setup details of the setup running on the device, so the page can show that information. I’ll see that this behavior is removed so the permission is no longer needed.
Until then it can be fixes as follows. In the policy that grants access to the devices, also add another section that grants access to the setups used by your marketing department. I’ve added a new policy (prefixed [info-beamer support], feel free to rename) in Login - info-beamer for that:
If you add that to your ACL, the device detail page should work. By the way: What’s helpful while testing ACLs is to create a self-access to your account on the access page, assign that the ACL your testing and then instantly switch between that and your main account using the “Switch account” tab at the top right:
I’m trying out this ACL thing as well and i am trying to grant access to only 1 device and 1 setup and all assets for a few people so they cant mess with other devices and setups.
This policy on its own doesn’t allow listing devices. The device list call required for that doesn’t have any description that might match, so the first statement in your example evaluates to false, thus denying access to list all devices. You can actually visit the device detail page for this device directly if you happen to know its url.
I suggest you keep the policy at it is, but also add at least the following additional policies to your ACL:
“Device list/read”
“Setup list/read”
“Asset list/read”
That way you can use the device/list view to browse devices.