Prerequisites

• You have already provisioned a device.

• You are empowered to change the specific policy. This is already the case after provisioning.

• You have already created an OAuth2 client.

Goal

Given you have decided to empower your application using an OAuth2 client to have read permission on the thing and ALL sub-entities (e.g. attributes, features). The policy "my.namespace:octo-01" should be extended.

Navigate to the policy view of the developer console

1. Navigate to the Bosch IoT Suite portal https://accounts.bosch-iot-suite.com/subscriptions/.

2. Click Go to Developer Console for your subscribed instance.

3. Navigate to the Things section

4. Click the row of the thing "my.namespace:octo-01" whose policy of the same ID should be edited.

5. Click Policy.

6. Click the + icon in the Policy view.
   

   

Add a new policy entry

1. Enter a label: e.g. MY_APPLICATION.

2. Add a subject - in this example, this is an OAuth2 client with a specific client scope that will be used by your application for authentication:

   1. In the Suite portal , open the details view of your OAuth2 client and navigate to the listed client scopes having the format <prefix>:< ID >. Both values are used below.

   2. Click the + icon

   3. in the Subjects section and select Other in the context menu.

   4. Select the issuer custom.

   5. Enter the custom issuer: service .
      This is the prefix of your OAuth2 client scope.

   6. Enter an ID - this is the ID of your OAuth2 client scope: e.g. iot-things-eu-1:xxx_things/full-access .

   7. Enter a type: e.g. suite-auth.

   8. Click OK.
      

      

3. Add a resource - in this example the entities for which read permission should be granted are the thing itself and all its sub-entities:
   

   1. Click the + icon in the Resources section.

   2. Enter the path thing:/

   3. Check the Grant checkbox of the Read permission.

   4. Click OK.
      

      

4. Click Save.

Test your work

Now, let's test whether the application using the specific OAuth2 client can read the thing (and all its attributes and features).

For this purpose, you can operate the developer console in the mode "act as application" where the Bearer token of the specific OAuth2 client is used:

1. The top bar where you see your user icon, open the settings and click Act as application.

2. Follow the link to your OAuth2 clients in the Suite portal.

3. Use the OAuth2 client from above and copy its token to the clipboard.

4. Paste the copied OAuth2 token into the related field of the developer console.
   

5. Click Authorize.

   The robot icon in the top bar indicates that the authorization of the user is temporarily "overridden" by an OAuth2 client.

   
   

Now, you should see the thing with the assigned policy in the Things view. Also all its attributes or features should be visible.

However, as in Add policy entry > step 3d you have assigned read permission only, it should not be possible to change the thing. Thus, try adding an attribute, which should fail, as such an action requires write permission.

Further, you shouldn't be able to see a policy of the thing, because you did not assign read permission to the policy:/ subject.

As soon as you are done with testing, you might want to return to the context of your logged in user.

1. Open the User settings at the top bar.

2. Click Stop.