We have a list device widget where I want to give access to the end user to update the device information without providing him with admin access.
Basically, he can update device information from the widget, but he cannot add widgets or other functionalities specific to admins.
Right now, we tried it by providing an inventory role where he can see the device assigned to him only and can update the device.
information as well, but with this, he can also add widgets and do other actions required by the admin only.
I see two different approaches you could take on this one - one using Inventory Roles, the other using a Service as Proxy.
Option 1: Inventory Roles
A user having below Inventory Roles set will be able to:
Read all Devices and all their properties within the Device Groups the User has access to
Additionally, he will be able to change fragmentA and fragmentB properties for these Devices. Once a PUT request contains any other fragment, API will reject it with a 403 Forbidden response.
Keep in mind that you can’t use the Inventory Read/Write Permissions provided by Global Roles for such users - they would overrule these Inventory Roles. Thus, this needs to be maintained on Device Group Level.
Option 2: Device Detail Service
Alternatively, you can write a Microservice that exposes an endpoint to change device details. Grant this Service Inventory-Admin permissions.
Once you have this service, give your Users:
Inventory Read permissions either via global- or inventory role (preferably global as it’s easier to maintain)
Access to this Microservice (can be controlled via global roles)
…and then let your widget call this Microservice to change your Device Details. A benefit of this is that you’re also able to do additional authentication-/validation checks, custom logics or caching in such a Service if needed.