Skip to Main Content
Cumulocity IoT Feedback Portal
Status Likely to support/improve
Categories Platform Management
Created by Guest
Created on Jul 20, 2021

Device Role permissions should not take precedence over Admin role

Follow on from Support ticket raised (5447129) - Prod (v10.6.6.31) - Device Role permissions takes precedence over Admin role.

Text of the ticket below:

Hi Support,

Upon upgrading our Prod tenancy to v10.6.6.31 - we were performing login tests and noticed a change in behaviour when users have multiple permissions assigned and try to log in.

On previous versions (e.g. v10.4.6.22), when a user was assigned Admin role in conjunction with Devices role, Admin permissions and settings associated with this role took precedence. For example, users with both roles were still prompted to login with TFA.

In v10.6.6.31, when user is assigned Admin and Devices role together, the Device role permissions appear to take precedence. User is not forced to login with TFA, instead can login without any TFA. This is a security risk.

It is noted an active user logging into the platform should not be assigned devices role, however in the chance customer does accidently assign Devices role to a user in conjunction with other roles, then Admin role settings and permission should take precedence so that the customer's security position is not compromised.

Our feature request suggests that Devices role should not take precedence over an admin role.

  • Attach files