0
Axiom as public facing self-service customer-specific portal
Forum / Questions & Answers
We have a v24 canary historian that collects flow rates from meters. The flow is coming into our pipeline system. The product comes from various customers (approximately 90 different customers). A customer can have 1 or more meters. We'd like to create a public facing portal using Axiom where people can log in and see the flow rates for all of their meters and no other customer meters. Here's my plan, please let me know if you see issues of any kind.
- Create a View where the first level is customer and the 2nd level is meter. The meter asset has the flow rate tag.
- Connect Canary to Entra ID using OpenID
- Create an Entra group for each customer that wants to see their meters
- In Identity, remove default access at the top, and map each Entra group to the appropriate customer asset.
- Create an Axiom application that leverages an Asset Template control to show the flow for all meter assets.
I'm hoping, we can give users access to this one Axiom application and it magically shows them just the meters they have access to.
Questions:
- With the approach above, I think external users would have access to see the Public Folder Axiom displays, even if they couldn't see the data in them. Is it possible to set up a 2nd instance of Axiom on a 2nd server? So that we have an internal facing one and a public facing one?
- There's no way in Canary Identity to say "if a user has an email with domain x, they go to group x" is there? I'm assuming that would have to be done in Entra?
5 replies
-
Hi ,
I think your steps look good. To answer your questions:
- You can set up a 2nd Axiom service, but they would still potentially see other charts/applications in the Public and ReadOnly folder if users start creating their own reports. Are you planning to just provide a url to them and use the ReadOnly mode?
https://helpcenter.canarylabs.com/t/60y8gkg/application-url-parameters-version-24#mode
I will let you know that we do have plans of implementing an Axiom files ACL in the near future. It will be similar to the Tag Security, only it will control which files/folders a user can see in Axiom. - When a user logs in using Axiom (or Excel or the Admin), an internal Canary user is created automatically which is then mapped to the external user coming from the IDP. In your case, that would be Entra. At the same time, all of the external groups that user is a part of are discovered. You can then create an internal Canary group, and map it to one of the external groups that was discovered.
- You can set up a 2nd Axiom service, but they would still potentially see other charts/applications in the Public and ReadOnly folder if users start creating their own reports. Are you planning to just provide a url to them and use the ReadOnly mode?