Auth for accessing data via Things
Business solution: accessing Thing data
When your business solution will later try to access data from Bosch IoT Things, it will need to authenticate with an authorization subject empowered in the thing policy.
The policy can be adjusted to your project needs by adding further entries, and thus empowering other technical clients and users.
For a search or get things request, read thing permissions within the policy should be sufficient.
Business solution: setting desired Thing data
When your business solution will later try to send data towards Bosch IoT Things (e.g. send a new static attribute, which is not relevant for the device layer), it will need to authenticate with an authorization subject empowered in the thing policy.
The policy can be adjusted to your project needs by adding further entries, and thus empowering other technical clients and users.
For an update (put) thing request, write thing permissions within the policy should be sufficient. However, with read and write you will be on the safe site for such a scenario (because write does not implicitly include read permission).
For an update (put) policy request, write policy permissions within the policy should be sufficient. However, with read and write you will be on the safe site for such a scenario (because write does not implicitly include read permission).
By empowering someone else with write policy permission, you risk to potentially be locked out, be it accidentally or by purposes.
In general, the solution owner should be able to manage all policies and should only grant other parties write permission in the things and messages resources but not the policy itself.
Find details on how to Create a policy entry for your backend application in the examples section.