Version 1.4: Fine-Grained Access Control and ROOT Support in awaBerry Agentic

awaBerry Agentic 1.4 brings fine-grained access control to device management. Define exactly which folders an API project can read or write, and which commands it can execute — plus ROOT user support for CI/CD and device provisioning workflows.

awaBerry Agentic 1.4 is our most significant security release to date. It delivers the granular access controls that IT teams, DevOps engineers, and security-conscious organisations have been asking for — giving you precise authority over what each API project can and cannot do on your devices.

Fine-Grained Folder Access

Until now, an authenticated awaBerry API project could interact with any path accessible to the awaberry user. Version 1.4 introduces path-based access restrictions: for each project, you can define an explicit allow-list of directories that the API is permitted to read from and write to.

A data collection project, for example, might be restricted to /var/data/sensors/ and nothing else. A deployment pipeline might have write access to /opt/app/releases/ but be read-only everywhere else. This kind of least-privilege configuration is now straightforward to define and enforce.

Command Execution Restrictions

Alongside folder restrictions, you can now define a command allow-list for each project — a precise set of commands the API is permitted to execute. If a command is not on the list, the API will refuse to run it, and the attempt will be logged.

This means you can expose a tightly scoped automation surface — "this project may run systemctl restart app, df -h, and cat /var/log/app.log and nothing else" — with confidence that no other commands can be triggered, even in the event of a compromised API key.

ROOT User Support

For teams that need it, version 1.4 adds explicit support for ROOT user execution. When enabled on a project, commands run with root privileges — enabling full device provisioning, package installation, system configuration, and OS-level operations.

ROOT access is disabled by default and must be explicitly enabled per project. Its availability opens new possibilities for IT and DevOps teams integrating awaBerry Agentic into their workflows:

CI/CD pipelines that install and update software on target devices
Automated device provisioning and OS configuration scripts
System-level health checks and remediation workflows
Fleet-wide patch management without manual SSH sessions

A Step Toward Enterprise-Grade Access Management

The access control features in version 1.4 are the foundation for a more comprehensive permission model that we will continue to expand. The goal is simple: every integration with awaBerry Agentic should be able to operate at exactly the privilege level it needs — no more, no less.

Full configuration details are documented in the User Manual. Questions? Our team is available via the contact form.