Bosch IoT Device Management

Create a policy where a sub-path is revoked

Prerequisites

You are empowered to change the specific policy.

Goal

Given you need to support the following scenario:

  • Owner

    • The thing my.namespace:thing-0123 is owned by a subject managed by a custom OAuth provider. The owner needs full access and admin rights for the complete thing.

    • In our example his ID is bosch-xxx:xxx-id-xxx/owner-scope

  • Observer of changes at featureX and featureY

    • Another application needs to be informed on each change at those features. In our example its ID is iot-suite:eebbb40e-xxxx-xxxx-xxxx-f79a4653946b.

  • Privacy

    • The value of the “city” property at “featureY” is confidential and needs to be “hidden” from the other application.

To accomplish all conditions mentioned above, your policy might look like the following image.

images/confluence/download/attachments/1783512359/policy-example-3.png

Your complete policy would look similar to the following example:

{
"policyId": "my.namespace:policy-a",
"entries": {
"owner": {
"subjects": {
"bosch-xxx:xxx-id-xxx/owner-scope": {
"type": "custom-oauth-provider"
}
},
"resources": {
"thing:/": {
"grant": ["READ", "WRITE"],
"revoke": []
},
"policy:/": {
"grant": ["READ", "WRITE"],
"revoke": []
},
"message:/": {
"grant": ["READ", "WRITE"],
"revoke": []
}
}
},
"observer": {
"subjects": {
"iot-suite:eebbb40e-xxxx-xxxx-xxxx-f79a4653946b": {
"type": "suite-auth-client"
}
},
"resources": {
"thing:/features/featureX": {
"grant": ["READ"],
"revoke": []
},
"thing:/features/featureY": {
"grant": ["READ"],
"revoke": []
},
"thing:/features/featureY/properties/location/city": {
"grant": [],
"revoke": ["READ"]
}
}
}
}
}

The IDs from the example above are just example values.

The policy can be found:

  • Via GET request at /api/2/policies/<policyId>, and

  • Via GET request at /api/2/things/{thingId}/policyId

  • At any thing itself in its JSON representation.
    A common get thing request, does not include the full policy by default, but you can be retrieve it by appending the field _policy as a query parameter
    e.g. /api/2/things/<thingId>?fields=_policy

In case of doubt, add for each role an own policy entry (label), and later add the subject which you need to empower in the specific section.

Further reading

The concept is detailed at Policy of a thing.