Check any users permissons via API

Hi Community,

i have a relatively open question, just wondering if that is possible to achieve with the Cumulocity IoT API 10.15

What product/components do you use and which version/fix level are you on?

Cumulocity IoT 10.15

Is your question related to the free trial, or to a production (customer) instance?

A tenant to test it for now, on … .cumulocity.com

What are you trying to achieve? Please describe it in detail.

With using the Cumulocity API, i want to check if a user has the permission to see an alarm or to have reading permission on the alarm source device. Is there a way to do that? I want to use a microservice to do that, so i will be using microservice credentials to access the API.

I would answer this one in two ways:

  1. There is an API endpoint to retrieve a Users permissions: GET /user/currentUser. Within the effectiveRoles fragment the users permissions are listed. You can find the endpoint described here
  2. As you want to do this within a Microservice anyhow, note that you can grant specific permissions via the requiredRoles field of your cumulocity.json manifest. The microservice user will get access to all roles defined here (in your case ROLE_ALARM_READ and ROLE_ALARM_ADMIN should be of interest). Here is a link describing the supported manifest fields.

Thanks for your reply @Korbinian_Butz ,

I want to check any registered users permissons, not the one of the current user (which is the generic microservice-user). I can query all users via getUserCollectionResource. The devicePermissions Fragment is empty, but there are information about roles of that user. I think i could query all the roles (including inventory roles) and then check if they allow or disallow the reading of a certain device. But it seems to be a very complicated way to achieve what i want. Is there a different way to do it?

One addition to Korbinians answer:
For 1. you should use the authenticated user and NOT the service user otherwise you’ll perform wrong permission checks as a service user always has global rights as defined in the manifest file.

https://cumulocity.com/guides/microservice-sdk/concept/#users-and-roles

The current user must not be always the generic microservice-user, see my answer above.

There is no good and nice way to perform such permission check as described by you if the user is not authenticating itself against any endpoint.
Global roles are not the issue but effective inventory roles.
This check is very expensive as you need to query all inventory roles & assignments to that user. Also you have to check if the device belongs to a group where the user has at least read permission on and if the inventory role contains the fragment / type to read / write that alarm.

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.