Cumulocity IoT Feedback Portal
In our tenant we have multiple products being developed, some of which use the same LwM2M definitions. If a user deletes/adds/modifies a LwM2M definition we have no tracking in the audit logs of who did that. Everyone on the system needs the ability to add/delete their devices, but technically the device protocols could be a smaller number of people. However, these roles are not decoupled.
A more granular role based access control can help some but even inside a group of administrators it would be helpful to know who made what change. I was going to put another feature request in for post registration actions, because we have the same issue. We add reads to objects like model, hardware version, firmware version, and device type, then somebody else deletes that. We need to separate users that have the ability to add devices to the system vs. having what I'd call tenant setup privileges ... this would include (1) Modifying the device type XML files (2) Installing/modifying applications or microservices (3) Modifying post registration operations.
However, as noted earlier if I have 5 people with this role and 1 of them got their account compromised and somebody made a malicious modification such as deleting the server device type object which would cause all devices to fail registrations, I'd like to know which of the 5 people with access made that modification. =
Let me know if I should submit a separate feature request or if we can simply couple these operations together in this one.
Hi John & Andrew,
thanks again for sharing! Like with your other idea – we will discuss it next week and come back to you.
Without Auditing definitions can be destroyed or incorrectly updated.