Please Note This forum exists for community support for the Mango product family and the Radix IoT Platform. Although Radix IoT employees participate in this forum from time to time, there is no guarantee of a response to anything posted here, nor can Radix IoT, LLC guarantee the accuracy of any information expressed or conveyed. Specific project questions from customers with active support contracts are asked to send requests to support@radixiot.com.

Radix IoT Website Mango 3 Documentation Website Mango 4 Documentation Website

User Permissions with client list.


  • Hello all,

    I've got two sites within the mango ecosystem.

    mydomain.mangoautomation.net
    And
    guid.mydomain.mangoautomation.net (Which is accessible from the "client list" tab of mydomain.mangoautomation.net )

    I created a user called "test" in both domains - and gave that person permissions of "user" and "testgroup"

    When I log into guid.mydomain.mangoautomation.net after signing in at mydomain.mangoautomation.net I get the following error:

    Proxy error 403
    'test' does not hold the required role
    

    Ideally, I'd like the user "test" to sign in to mydomain.mangoautomation.net and get redirected to -> guid.mydomain.mangoautomation.net /Custom Page

    Thank you.


  • A little more information: I went to the tab "AUTH TOKENS"

    Within the mydomain.mangoautomation.net - I can create the token.

    When I'm in the guid.mydomain.mangoautomation.net domain - I get the following error when I try to create the token. (Note, happens to all the users there).

    Failed to create authentication token: Access denied — org.springframework.security.access.AccessDeniedException: Must be authenticated via username and password


  • More information -

    The autologin format via url parameters work in one case:

    https://mydomain.mangoautomation.net/ui/home?autoLoginUsername=publicuser&autoLoginPassword=publicpassword

    But in the case:

    https://guid.mydomain.mangoautomation.net/ui/home?autoLoginUsername=publicuser&autoLoginPassword=publicpassword

    I get the error:

    Proxy error 401
    
    Not authenticated
    

  • They are two completely different domains, it's like logging in to facebook and assuming you'd also be signed into linkedin because you successfully signed in to facebook.
    You need to login into the guid subdomain and store the xsrf token in order to be able access the system.
    That's what I see from first glance.

    EDIT:
    I take it your two domains are in fact two separate mango instances?


  • @mattfox

    Hello Matt,

    Thank you for the response. In the two different domains, I've created the test user, in both. In the problematic guid.mycompany.mangoautomation.net when I access it - I am not redirected to the login screen of the second one.

    0_1579741427463_download-2.png

    Is there a better way to handle client lists? Maybe I could just push the data points from the guid to the primary and then get the user to login there?

    Regarding storing the xsrf - I am able to do this on the primary domain but it does not seem to work on the guid one.

    Thank you,
    Maurice


  • I think before we jump too deep, give me an overview of what it is you're trying to do.
    What is the purpose of your client list?
    Publishers do allow you to move data between instances, to the point of having a central location then forwarding all data to this central location.
    I've got multiple on site ES units which talk back to my main cloud system and allow all respective clients to log in and view their data.


  • @maurice using publishers to push the data to your central server and copying your dashboards over to the central server will probably be the easiest. Cloud connect is then only used for changing configurations on your node. This is generally how most Mango networks are setup. As Mattfox said it would be helpfull to know what your end goal is. There are various options to sync users credentials, tokens and role restrictions on the servers proxy tab so If you can give a description of your goal I think @Jared-Wiltshire will be able to advise.


  • Hello @MattFox and @CraigWeb

    Thank you both for walking me through the best practices. I'm still learning the system.

    Currently, we've got 1 client that we built a custom dashboard for. Shortly, I expect to install 2 more Mange devices. My goal is for the 3 clients with unrelated Mango devices to be restricted to viewing their own custom dashboards. I've done a small POC and the role restrictions on the central server accomplish the stated goal.

    My initial thought was to create a user in the proxy server, but I'd much sooner use the standard Mango network setup and push the data to the central server - being a newbie I just did not realize that was the best practice. I suspect that design would also help me with the development of the custom dashboards as I could develop locally.

    I will take a look at the https://help.infiniteautomation.com/configuring-publishers and configure publish the data to the central server. I will probably also be asking more questions on this forum.

    Thanks again,
    Maurice


  • Look around the forums, there are numerous topics you can tap into. I have written a custom dashboard system so feel free to call on me if desired.
    As for permissions, i strongly recommend a combination of them with datapoint tags.
    Gives you a lot of freedom for your dashboard structure and behaviour.

    Fox