0

I'm writing a new agent for Cumulocity using the examples from BitBucket repository. I managed to create a new driver, communicate with the company service, now I want to update ManagedObject, but not the device of my Agent.

Using the device credentials I'm able to list the MO but when I try to update one (adding a new property) I receive an Access Denied exception.

Has device credentials limited permissions? Can I only update child devices?

I checked this, using normal credentials and postman, I was able to update the device.

Mariusz Kraj
  • 107
  • 5

1 Answers1

1

The devices group (which is assigned to device users) does not give you full ADMIN access to inventory. Therefore you can only update objects that you are the owner of. It is not limited to childDevices but basically to everything that is created by you with that device user.

Of course you can adjust the permissions of this group however I wouldn't recommend that. ADMIN access to inventory gives you in the end full access to all data as you can in theory just update every object that you are the owner and then you can read all data from this object.

Devices should have as little permissions as possible.

TyrManuZ
  • 2,039
  • 1
  • 14
  • 23
  • Thank you very much for such a quick response. I understand the security risks, can you tell me where I can change those permissions? Should I assign role or group to the device? – Mariusz Kraj Jun 19 '18 at 15:04
  • You should have a role "devices" in your tenant. This is the role that is assigned to all device users. You can simply add the permission in this role. – TyrManuZ Jun 20 '18 at 08:02
  • My friend told me a little bit better approach, In Administration > Device Credentials you can change the role of a specific device. – Mariusz Kraj Jun 20 '18 at 13:42