Optional time limit in policy
This example assumes you have added a policy entry named guest, which allows the subject (i.e. a Bosch ID) to read thing data until the May 1st 2021.
Example
{ "policyId": "my.namespace:policy-x", "entries": { "DEFAULT": { "subjects": { "iot-suite:/service-instance.xxx-your-serice-instance-id-xxx.iot-things": { "type": "suite-auth" } }, "resources": { "thing:/": { "grant": ["READ", "WRITE"], "revoke": [] }, "policy:/": { "grant": ["READ", "WRITE"], "revoke": [] }, "message:/": { "grant": ["READ", "WRITE"], "revoke": [] } } }, "guest": { "subjects": { "bosch:xxx-your-Bosch-id-xxx": { "type": "Bosch ID", "expiry": "2021-05-01T12:00:00Z", "announcement": { "beforeExpiry": "1d", "whenDeleted": true } } }, "resources": { "thing:/": { "grant": [ "READ" ], "revoke": [] } } }}Once the timestamp defined in the expiry field is reached, the Things service will automatically delete the specific subject field and thus prohibit the access for the specific subject.
In our example the "guest" entry will be removed completely as the time limited subject was the only subject in the entry.
The timestamp is set as string in ISO-8601 format. For simplicity, we will round it up to the next full hour.
Announcement options
In case your scenario requires that someone is informed about the expiry, this needs to be addressed separately.
Example
Use the Bosch IoT Things UI, section Connections/Integrations.
Add a HTTP connection to your receiver endpoint.
At the Target section, check the box for Policy announcements.
An announcement would look like the following snippet.
{ "topic": "your.namespace/the_policy_id/policies/announcements/subjectDeletion", "headers": { "correlation-id": "xxx", "content-type": "application/json" }, "path": "/", "value": { "deleteAt": "2021-05-01T16:05:55Z", "subjectIds": [ "integration:your-service-instance-id:your-client-1", "integration:your-service-instance-id:your-client-2" ] }}