We’re experiencing firmware update failures when pushing updates via MQTT API to a device group. The operation returns a 403 Forbidden error, blocking our entire firmware rollout to 200+ industrial gateways.
Our MQTT publish to topic s/us with firmware operation payload works fine for individual devices, but fails consistently for device groups. We’ve verified device role permissions in the tenant settings, and the service account has ADMIN role with full inventory access.
The error occurs specifically when targeting managed object fragments for firmware updates. Here’s our MQTT payload structure:
{"c8y_Firmware": {"name": "gw-v2.4.1", "version": "2.4.1", "url": "https://repo.local/fw.bin"}}
Is there a specific permission or MQTT API usage pattern we’re missing for group-level firmware operations? The documentation suggests this should work, but we’re hitting authorization barriers.
Thanks for the responses. I checked the Bulk Operations permission - it was enabled. However, I noticed our service account didn’t have explicit READ permission on the device group object in inventory. The permission was inherited but not directly assigned. Could this be the root cause? Also, our MQTT client uses a separate service user - should this match the device credentials exactly?
I’ve seen this before. The issue is usually that device groups require explicit inventory READ permission on the group object itself, not just on individual devices. Also, verify that your MQTT client ID matches the device credentials you’re using. Group operations have stricter validation than single-device operations in c8y-1020.
Adding to the previous comment - also check your tenant options. There’s a setting under ‘device-control.enableBulkOperations’ that must be set to ‘true’. This isn’t enabled by default in some deployments and will silently fail group operations with 403 errors.