Bosch IoT Suite

Add a policy entry via developer console

Prerequisites

Goal

Given you have decided to empower your application using an OAuth2 client to have read permission on the thing and ALL sub-entities (e.g. attributes, features). The policy "my.namespace:octo-01" should be extended.

Navigate to the policy view of the developer console

  1. Navigate to the Bosch IoT Suite portal https://accounts.bosch-iot-suite.com/subscriptions/.

  2. Click Go to Developer Console for your subscribed instance.

  3. Navigate to the Things section (left sidebar of the developer console).

  4. Click the row of the thing "my.namespace:octo-01" whose policy of the same ID should be edited.

  5. Click Policy.

  6. Click + in the Policy view.

    images/confluence/download/attachments/1175027797/add-policy-entry.png


Add a new policy entry

  1. Enter a label: e.g. MY_APPLICATION.

  2. Add a subject - in this example, this is an OAuth2 client with a specific client scope that will be used by your application for authentication:

    1. In the Suite portal , open the details view of your OAuth2 client and navigate to the listed client scopes having the format <prefix>:< ID >. Both values are used below.

    2. Click + in the Subjects section and select Other in the context menu.

    3. Select the issuer custom.

    4. Enter the custom issuer: service . This is the prefix of your OAuth2 client scope.

    5. Enter an ID - this is the ID of your OAuth2 client scope: e.g. iot-things-eu-1:xxx_things/full-access .

    6. Enter a type: e.g. suite-auth.

    7. Click OK.

      images/confluence/download/attachments/1175027797/add-policy-subject.png

  3. Add a resource - in this example the entities for which read permission should be granted are the thing itself and all its sub-entities:

    1. Click + in the Resources section.

    2. Enter the path thing:/

    3. Check the Grant checkbox of the Read permission.

    4. Click OK.

      images/confluence/download/attachments/1175027797/add-policy-resource.png

  4. Click Save.

Test your work

Now, let's test whether the application using the specific OAuth2 client can read the thing (and all its attributes and features).

For this purpose, you can operate the developer console in the mode "act as application" where the Bearer token of the specific OAuth2 client is used:

  1. Navigate to the User section (left sidebar of the developer console).

  2. Click Act as application.

  3. Follow the link to your OAuth2 clients in the Suite portal.

  4. Use the OAuth2 client from above and copy its token to the clipboard.

  5. Paste the copied OAuth2 token into the related field of the developer console.

  6. Click Authorize.

Now, you should see the thing with the assigned policy in the Things view. Also all its attributes or features should be visible.

However, as in Add policy entry > step 3d you have assigned read permission only, it should not be possible to change the thing. Thus, try adding an attribute, which should fail, as such an action requires write permission.

Further, you shouldn't be able to see a policy of the thing, because you did not assign read permission to the policy:/ subject.

The user icon in the left sidebar of the developer console is now colored, to indicate that the authorization of the user is temporarily "overridden" by an OAuth2 client.

As soon as you are done with testing, you might want to return to the context of your logged in user.

  1. Navigate to the User section (left sidebar of the developer console).

  2. Click Stop.


Henceforth, an application identifying with the specific OAuth2 client can read the thing, and all its attributes and features.