I am working on a multi-tenant customer management system using Cumulocity IoT. I am trying to restrict users so they can only see managed objects that belong to their customer.
What I have done:
Created a user group called “Customer User” with basic roles but WITHOUT ROLE_INVENTORY_READ
Added ROLE_INVENTORY_READ back but assigned specific devicePermissions to users for their customer’s objects
Format used: MANAGED_OBJECT:fleetGeofence:READ
Results:
GET /inventory/managedObjects/{id} — correctly restricts access to only assigned objects
GET /inventory/managedObjects?type=fleet_geofence — returns ALL objects regardless of devicePermissions
Question: Is there a way to make list queries respect devicePermissions? Or is there another approach to restrict users to only see managed objects that belong to their customer?
When you are working in a multi-tenant customer system, you should also use multi-tenant functionality from Cumulocity, e.g., one tenant per customer.
This is the officially supported way to separate any devices & data from other customers in a reliable way. Anything else, e.g., putting multiple customers in one tenant and trying to restrict them with permissions, will most probably lead to issues.
Now back to your question:
What do you mean by devicePermissions? Inventory roles?
In general: Global roles overwrite any inventory role permissions. With ROLE_INVENTORY_READ, ALL managed objects can be read regardless of any inventory roles (or device permissions???) configured.
Thanks in advance and appreciate your time Stefan.
Regarding multi-tenant: We are aware of this approach but our system is designed to manage multiple customers within a single tenant.
To clarify my question — I am using devicePermissions on the user object, which assigns permissions in the format MANAGED_OBJECT:fragmentType:READ for specific managed object IDs. For example:
The issue is that when the user has ROLE_INVENTORY_READ, list queries like GET /inventory/managedObjects?type=fleet_geofence return ALL objects instead of only the ones assigned in devicePermissions.
Is there any way to make list queries respect devicePermissions? Or is the only solution to use separate tenants per customer?
To clarify my question — I am using devicePermissions on the user object, which assigns permissions in the format MANAGED_OBJECT:fragmentType:READ for specific managed object IDs. For example:
Interesting! I wasn’t even aware that this (still) exists. How did you discover that as it is not referred at all in the documentation (just in the Open API spec)? I’m also not sure if this is (still) supported.
As I stated: Global roles ALWAYS overrule any other permissions that’s the reason you see the following behaviour. Have you tried removing the ROLE_INVENTORY_READ?
I would recommend to not using devicePermissions but Inventory roles instead. Same rule for global roles apply there as well. Try to avoid global roles for your scenario or you will end up with users seeing always ALL objects in your tenant.
And yes, it’s all kind of hacky managing multiple customers in a single tenant. You can easily make mistakes and devices/data is exposed to other customers, that’s why we have that multi-tenant approach.
Thank you for the clarification! I discovered devicePermissions by looking at the OpenAPI spec while experimenting.
I have already tested removing ROLE_INVENTORY_READ and using inventory roles. Without ROLE_INVENTORY_READ, users get 403 on all inventory requests — inventory roles alone don’t seem to grant access to specific objects.
Based on your feedback, it seems like managing multiple customers in a single tenant has fundamental limitations in Cumulocity’s security model. I will discuss the multi-tenant approach with my team as it seems to be the recommended solution.
Yep, I think using multi-tenant is something you won’t regret.
Still, Inventory Roles should work without any global roles. Just double check that you have created a role, assigend it a user and group.
