Add a policy entry
Prerequisites
You are empowered to change the specific policy.
Goal
Given you have decided to empower another user with ID "Bosch-ID-for-support-user" to read ALL things related to the policy "your.namespace:policy-01".
Request
Use the API docs of Bosch IoT Things
Authorize with a fresh Suite OAuth token.
See Create a Suite Auth clientPolicies resource:
Set the policyId to your.namespace:policy-01
Set the label to "USER-read"
Set the body part
{
"subjects"
: {
"bosch:<Bosch-ID-of-the-user>"
: {
"type"
:
"bosch-id"
}
},
"resources"
: {
"thing:/"
: {
"grant"
: [
"READ"
],
"revoke"
: []
}
}
}
Execute
Response
Upon success you get the status 201 "The Policy entry was successfully created."
Test 1
GET/policies/{policyId} and check of the new entry is there as you need it.
{
"policyId"
:
"your.namespace:policy-01"
,
"entries"
: {
"DEFAULT"
: {
"subjects"
: {
"iot-suite:your-oauth2-client-scope"
: {
"type"
:
"suite-auth"
}
},
"resources"
: {
"same-as-before"
:
"all"
}
},
"DEVICE"
: {
"subjects"
: {
"integration:your-things-solution-id:hub"
: {
"type"
:
"iot-things-integration"
}
},
"resources"
: {
"same-as-before"
:
"some"
},
"USER-read"
: {
"subjects"
: {
"bosch:S-1-xxx"
: {
"type"
:
"bosch-id"
}
},
"resources"
: {
"thing:/"
: {
"grant"
: [
"READ"
],
"revoke"
: []
}
}
}
}
}
}
Test 2
Let the user with the specific Bosch ID test if he can see the thing:
Use the API docs of Bosch IoT Things
Log in
with the Bosch ID (check the box openid Access your Bosch-ID and click Authorize)
additionally with the API Token
Things resource:
GET/things/{thingId} should work
PUT/things/{thingId} should be prohibited (status 404)