0

Axiom as public facing self-service customer-specific portal

Forum / Questions & Answers

We have a v24 canary historian that collects flow rates from meters. The flow is coming into our pipeline system. The product comes from various customers (approximately 90 different customers). A customer can have 1 or more meters. We'd like to create a public facing portal using Axiom where people can log in and see the flow rates for all of their meters and no other customer meters. Here's my plan, please let me know if you see issues of any kind.

  1. Create a View where the first level is customer and the 2nd level is meter. The meter asset has the flow rate tag.
  2. Connect Canary to Entra ID using OpenID
  3. Create an Entra group for each customer that wants to see their meters
  4. In Identity, remove default access at the top, and map each Entra group to the appropriate customer asset.
  5. Create an Axiom application that leverages an Asset Template control to show the flow for all meter assets.

I'm hoping, we can give users access to this one Axiom application and it magically shows them just the meters they have access to.

Questions:

  1. With the approach above, I think external users would have access to see the Public Folder Axiom displays, even if they couldn't see the data in them. Is it possible to set up a 2nd instance of Axiom on a 2nd server? So that we have an internal facing one and a public facing one?
  2. There's no way in Canary Identity to say "if a user has an email with domain x, they go to group x" is there? I'm assuming that would have to be done in Entra?

2 replies

null
    • smason
    • 6 hrs ago
    • Reported - view

    Hi ,

    I think your steps look good. To answer your questions:

    1. You can set up a 2nd Axiom service, but they would still potentially see other charts/applications in the Public and ReadOnly folder if users start creating their own reports. Are you planning to just provide a url to them and use the ReadOnly mode?
      https://helpcenter.canarylabs.com/t/60y8gkg/application-url-parameters-version-24#mode
      I will let you know that we do have plans of implementing an Axiom files ACL in the near future. It will be similar to the Tag Security, only it will control which files/folders a user can see in Axiom.
    2. When a user logs in using Axiom (or Excel or the Admin), an internal Canary user is created automatically which is then mapped to the external user coming from the IDP. In your case, that would be Entra. At the same time, all of the external groups that user is a part of are discovered. You can then create an internal Canary group, and map it to one of the external groups that was discovered.
      • damon_vinciguerra.1
      • 3 hrs ago
      • Reported - view

       Interesting stuff.

      1. I figured there was no way to stop people from using the Public Folder. And all our displays would be in Read Only, with the assumption that they can be open by anyone, and the data in them would be tailored to their account/company.
        1. I don't see the value in the ReadOnly Mode, because anyone can just edit the url and get to the full mode, right?
        2. Ooooh, I like Axiom display ACL. Now, when you say near future.... what are we talking? I see the benefit of that in we could only give our external customers access to a single subfolder in the read only folder. But I'd have to weigh the pros and cons of that vs having a ton of external users and groups and tag ACLs clutter up our internal View service instead of segregating that to a dedicated external View service.
      2. Let me play this scenario out. I believe you can't manually map an existing Entra Group to Canary Identity. So when we onboard a new customer (which will be in a new Entra Group), we have to have them sign up for Entra, then go to Axiom, try to log, get denied. Then we go into Admin and grant that new group the access we want them to have. Then that user and any future users of that company would be able to get in no problem. Is that an accurate description of the workflow? Or, if they're not in a group that's already mapped to Canary, will Axiom/Identity not even create a user for them when they attempt and fail to log in? Will I need to create a 2nd Entra Group with all customer Entra Groups in it that has no access to any data, but allows them to log in?
Login to reply

Content aside

print this pagePrint this page
  • 3 hrs agoLast active
  • 2Replies
  • 15Views
  • 2 Following