Restrict another account to devices and setups

Hi All,

I have been poking around with attempting to restrict another accounts access to list certain devices and setups but are not having much luck.

I have followed the docs and another post I found but no luck.

I have edited the device description, also , any filtering I have done in the json as far as condition and namelike still does not show any devices, I take the condition out at it lists all devices for the user account.

What am I missing?

Marketing-Devices

Device name is: “Marketing/NZRDRMNXPI01”

The problem is that the permission feature cannot be used to restrict visibility within listings. It can only be used to control which operations as allowed/denied.

All the object listings, for example ‘List of assets’, will return all assets. The permission feature can then implement restrictions on which of those assets can be viewed in detail, deleted or updated, but it cannot prevent a user from listing all available assets. Same is true for all other listings like devices/setups or packages.

The reason is that otherwise all kinds of stuff easily breaks: For example a user might have permissions to edit a setup, but then cannot list all assets used already added to such a setup.

Hi Thanks for the reply.

I have since attempted to restrict access, (still listing all devices) using the JSON in my original post - however, when I apply this to the invited user account, they do not see any devices…

I.e give access to the top two devices only. Listing the rest is fine.
Any assistance would be appreciated.

Screenshot 2023-09-13 121638

For mostly historical reasons, right now accessing a device’s detail page also required access to the setup details of the setup running on the device, so the page can show that information. I’ll see that this behavior is removed so the permission is no longer needed.

Until then it can be fixes as follows. In the policy that grants access to the devices, also add another section that grants access to the setups used by your marketing department. I’ve added a new policy (prefixed [info-beamer support], feel free to rename) in Login - info-beamer for that:

{
  "Action": "setup:detail",
  "Condition": {
    "StringLike": {
      "setup:name": "*Advertising*"
    }
  },
  "Effect": "allow"
}

If you add that to your ACL, the device detail page should work. By the way: What’s helpful while testing ACLs is to create a self-access to your account on the access page, assign that the ACL your testing and then instantly switch between that and your main account using the “Switch account” tab at the top right:

image

This is fixed now. So the workaround is no longer needed and your existing permission setup should work now.

Thanks, sorry I have just jumped back onto this.
I am still having an issue with ACL’s (Likely something very wrong with what i’m doing)

As per post, just attempting to restrict access to all devices apart from those matching description i.e:

I have one ACL to list the devices:

{
  "Statements": [
    {
      "Action": [
        "device:list"
      ],
      "Effect": "allow"
    }
  ],
  "Version": 1
}

another ACL to allow edit on the condition the description contains “AKL Drums” (*)

{
  "Statements": [
    {
      "Action": "device:*",
      "Condition": {
        "StringLike": {
          "device:description": "AKL Drums/*"
        }
      },
      "Effect": "allow"
    }
  ],
  "Version": 1
}

Top two devices i’m attempting to target access to
image

Currently with the above, I can list but not edit any.

I think you’re matching on “description” when you should match the “location” of a device? Matching the location to “AKL Drums - *” should work.

Thanks!, thought it would be something stupid on my part.
Now im underway!, able to sort Device, setup and asset restrictions :slight_smile:

Hi

I’m trying out this ACL thing as well and i am trying to grant access to only 1 device and 1 setup and all assets for a few people so they cant mess with other devices and setups.

{ 
  "Statements": [ 
    { 
      "Action": "device:*",
      "Condition": { 
        "StringEquals": { 
          "device:description": "Peaukse ekraan"
        } 
      },
      "Effect": "allow"
    },
    { 
      "Action": "setup:*",
      "Condition": { 
        "StringEquals": { 
          "setup:name": "Tolstoi peauks"
        } 
      },
      "Effect": "allow"
    } 
  ],
  "Version": 1 
}

Captureewf4

But when ever i add any kind of condition anywhere it seems to deny access to all devices and setups.

This policy on its own doesn’t allow listing devices. The device list call required for that doesn’t have any description that might match, so the first statement in your example evaluates to false, thus denying access to list all devices. You can actually visit the device detail page for this device directly if you happen to know its url.

I suggest you keep the policy at it is, but also add at least the following additional policies to your ACL:

  • “Device list/read”
  • “Setup list/read”
  • “Asset list/read”

That way you can use the device/list view to browse devices.

Thank you
Works perfectly now :slight_smile: