REST user accounts

ac8y · June 12, 2025, 5:00pm

Hello,

I’m building an app where users are able to access and manage their devices through Cumulocity. My backend connects to the REST endpoint using a single Cumulocity user account.

Is this approach acceptable, or should I be creating individual Cumulocity user accounts for each of my users instead?

Thanks!

Stefan_Witschel · June 12, 2025, 5:21pm

If the single Cumulocity user used in your backed has global access to Inventory, any potential user could see & manage devices they shouldn’t if you are not handling that in your backend code. Also it’s kind of bad practice to store credentials somewhere to access C8Y.

If both users have global access on Inventory and also identical permissions, it doesn’t matter so much (but I doubt this is the case for all users in your case).

The backend should ideally use service-users with permissions which are defined in your application/microservice manifest or forward the user credentials / session of the user to authenticate.

Andre_Eickler1 · June 12, 2025, 6:02pm

To add to Stefan’s comment: If your users can do changes and you use a single user for the Cumulocity API, you would not be able to identify who did what change in Cumulocity (e.g., who sent a command to a device) unless you also completely handle that in your application. This would also apply to a solution where your backend uses service users.

Cheers,
André

david.presuhn · June 12, 2025, 6:15pm

Putting on my Security hat…

I always want users to authenticate. Having a generic account tells you that someone did the thing but you have no idea who did the thing. That leaves no audit traceability.

Also, once people leave or change roles, if they know the shared account credentials, those credentials need to be changed or otherwise you’ve got a potentially unhappy ex-employee with some kind of access to your system. That can cause trouble if they are severely unhappy.

ac8y · June 12, 2025, 8:46pm

Hi all, I appreciate the responses!

I wanted to clarify that users don’t have direct access to Cumulocity. They are authenticated and authorized by our backend which uses the single Cumulocity account to create operations and device subscriptions through the REST api. The credentials are stored securely.

Observability is not ideal with a single user, but all operations are tracked on the backend and we could also add a user id to Cumulocity operations.

Are there any other limitations such as per user rate limits that I should be aware of if continuing with this approach?

Topic		Replies	Views
Easy & secure 3rd Party Application access to Cumulocity IoT Knowledge Base article , cumulocity	0	801	November 27, 2023
User Management- reporting Forum cumulocity	6	476	September 30, 2024
Limit access to Cumulocity Microservice REST API Forum cumulocity	2	916	April 2, 2021
API to find User's devices Forum cumulocity	5	356	January 13, 2024
Inventory roles assigned to user groups Forum cumulocity	2	581	September 19, 2022

REST user accounts

Related topics