Initial policy

In case you have registered your device in line with the guidance from chapter Getting started > Device provisioning, you will most probably have already a policy for your thing.

What effect will the policy have?

As soon as Thing is related to a policy, it will "obey" all parts of the policy.

A specific policy provides someone (called subject), permission to read and/or write at a given resource.

To change the policy itself, you would need:

  • To know the exact ID,
    in this example your.namespace:name-or-serial-number-01

  • The write permission on the "policy:/" resource

    • In this example, all the subjects in the DEFAULT entry are authorized to read and write the policy.

    • Whereas, the subjects in the DEVICE entry are not authorized to read and write the policy.

Policy example

At this point we assume you work with the default output of the device provisioning. There you see the policy inline, starting with _policy

However if your request it with GET/policies/{policyId} it will appear in the notation shown in the example below.

{
"policyId": "your.namespace:name-or-serial-number-01",
"entries": {
"DEFAULT": {
"subjects": {
"iot-suite:afceb49a-xxx-c1553b12cd4c": {
"type": "suite-auth"
}
},
"resources": {
"policy:/": {
"grant": [
"READ",
"WRITE"
],
"revoke": []
},
"thing:/": {
"grant": [
"READ",
"WRITE"
],
"revoke": []
},
"message:/": {
"grant": [
"READ",
"WRITE"
],
"revoke": []
}
}
},
"DEVICE": {
"subjects": {
"integration:6aa25824-xxxx-88c059cfeb85:hub": {
"type": "iot-things-integration"
}
},
"resources": {
"thing:/": {
"grant": [
"READ",
"WRITE"
],
"revoke": []
},
"message:/": {
"grant": [
"READ",
"WRITE"
],
"revoke": []
}
}
}
}
}
}

What can you change?

Given you authenticate with the suite-auth token, you have various possibilities to change the policy.

However, we strongly recommend to NOT change the DEFAULT part.

The easiest way to try it out is by adding a new policy entry.