This is a minor problem but as I saw three people (including a customer) running into this over the last few days: When you create a user in Cumulocity, who does not have access to the Administration application, and you then log out of your regular account to test that new user, the login screen you get is on the Administration application. When you log in with the correct credentials, you get an “Access Denied” error as the user does not have access to the Administration application. If you manually change the URL to point to the Cockpit application or you open a new tab and get redirected to the Cockpit application as the default one, everything works. Of course all of this is expected from an access rights point of view.
• Not sure what Software AG security policy is but you get different error messages when you do not have rights to access the application (“Access denied”) vs. when you provide invalid credentials (“Invalid credentials”). Isn’t it dangerous that in the first case we point out to a potential hacker that the username/password combination they tried is a valid one?
• Except for the Browser URL bar and the Window name there is no indication on which application a user tries to login. As the URL bar becomes less relevant (showing only the host name or not being shown at all) and the Window name becoming truncated, would it make sense to have some indication on which Administration Login page a user tries to login?
• Would it make sense upon logout to be redirected to the default application of the tenant? (not sure if this makes sense)
Response from RnD:
I spoke to R&D about this. Their suggestion is that instead of Access denied being returned, there should be a redirect to the default application. I think this will cover all three points you raised. - No Access denied message is ever returned - No need for app name in returned message - It won't matter what app user logs out from, if next user not entitled to use it they would go to their default app.