Some of the users have very limited access and dont have any read/create right on Inventory nor MEA.
In a custom UI, I need to generate some internal events upon a user action and these events will be listened by some EPL rule.
To link this events, I need to create a single virtual device which will not be visible to the users.
Everything works fine when the above is being done via a user who has admin rights on everything.
However if i log with a user who has limited access then I get permission denied when either creating/getting the MO or creating the internal events.
I have seen the option of the c8y_Global fragment: It is possible to make any object accessible by any user without specific rights. To grant those rights just add a new fragment called c8y_Global to the object.
So i added this fragment to the MO and to the new events.
Now the user with limited access can READ the MO but he cannot create neither the MO nor any Events.
Am i missing something? Should not the global fragment allow the user to perform any type of actions on the object?
Mmmm ok thank you. So we have no way to create some type on internal events not visible to the user if those dont have the event Admin rights in their assigned role?
You might be able to use inventory roles instead. For inventory roles you can restrict access to a specific event type. So the user could only create the event type you allow but not others.
Inventory roles are meant to be assigned to groups of managed objects to restrict access to some of these groups. If all your managed objects are group members, you can just assign users the inventory role to all these groups.
This sounds for me like a typical use case of a microservice using the service user. So the microservice has the permission the create the MO & Event but the User doesn’t need to and just calling the endpoint of the microservice with the required parameters.