Public, read-only access to a pre-defined cockpit dashboard

cumulocity-demo · February 10, 2023, 7:02pm

What product/components do you use and which version/fix level are you on?

https://www.cumulocity.com/guides/10.15.0/users-guide/cockpit/#dashboards

Is your question related to the free trial, or to a production (customer) instance?

We have an instance due to our partnership with Software AG

I don’t know if it is considered production or free trial.

What are you trying to achieve? Please describe it in detail.

We are trying to export a dashboard with public access, ie. provide a URL that provides read-only
access to a pre-defined dashboard. Have not found any How-to document.

Do you get any error messages? Please provide a full error message screenshot and log file.

We are ok with requiring a login.
If we define a “publicdemo” user, and allow Cockpit User role, the user has read-write access to all dashboards.
Do we need to define a new role? How do we limit the dashboard?

Have you installed all the latest fixes for the products and systems you are using?

Robert_Neale · February 13, 2023, 8:47am

Has publicdemo only got the cockpituser role? In my tenant, a user with that role gets 'Access denied when he tries to unlock a dashboard by clicking the padlock.

Stefan_Witschel · February 13, 2023, 9:23am

A few things to consider:

The user logging for demo purpose must not be the user who created the dashboard. Otherwise he is recognized as “owner” with full read & write access.
Global Roles are additive. So if a user has the cockpit user role and any other global role that contains “Inventory ADMIN” privileges the user can access & change the cockpit and all managed objects (Dashboards, Groups, Devices etc.). So review your roles. Most likely you need the cockpit user role and some inventory roles to specific groups of devices only.

Tristan_Bastian · February 13, 2023, 10:01am

Also note, that by default a new user will also have the roles: ROLE_USER_MANAGEMENT_OWN_READ and ROLE_USER_MANAGEMENT_OWN_ADMIN assigned directly to it even if you remove all of the Global Roles… These roles allow e.g. the user to change their passwords. In case of such a demo user, you would then want to remove the ROLE_USER_MANAGEMENT_OWN_ADMIN role to not allow them to change the password of that user.

cumulocity-demo · February 13, 2023, 2:40pm

I am now using Cockpit user role, even with

Own user management

unchecked it still allows to change the password. We will go ahead
even with this, and will just have to check periodically that the
account is still accessible. If you want to try

https://gambit.us.cumulocity.com/apps/cockpit/index.html#/group/2576/dashboard/118

user publicdemo
password trulythebest!

Robert_Neale · February 13, 2023, 4:32pm

I tried it and the padlock on the dashboard is greyed out - so I can’t edit it.

Isn’t this waht you want?

cumulocity-demo · February 13, 2023, 5:33pm

Yes, that is exactly what we want.
But, the user can still change his PASSWORD, which is not what we want.

Robert_Neale · February 14, 2023, 9:42am

This is working as designed. As mentioned, all users maintained by c8y can change their own password.

There are limitations to this when an external authorization server is used.

https://cumulocity.com/guides/users-guide/administration/#managing-users

“…password reset in Cumulocity IoT is disabled for users created through an external authentication server.”

system · August 13, 2023, 9:42am

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.