Create a policy where a sub-path is revoked
Prerequisites
You are empowered to change the specific policy.
Goal
Given you need to support the following scenario:
Owner
The thing my.namespace:thing-0123 is owned by a subject managed by a custom OAuth provider. The owner needs full access and admin rights for the complete thing.
In our example his ID is bosch-xxx:xxx-id-xxx/owner-scope
Observer of changes at featureX and featureY
Another application needs to be informed on each change at those features. In our example its ID is iot-suite:eebbb40e-xxxx-xxxx-xxxx-f79a4653946b.
Privacy
The value of the “city” property at “featureY” is confidential and needs to be “hidden” from the other application.
To accomplish all conditions mentioned above, your policy might look like the following image.
Your complete policy would look similar to the following example:
{
"policyId"
:
"my.namespace:policy-a"
,
"entries"
: {
"owner"
: {
"subjects"
: {
"bosch-xxx:xxx-id-xxx/owner-scope"
: {
"type"
:
"custom-oauth-provider"
}
},
"resources"
: {
"thing:/"
: {
"grant"
: [
"READ"
,
"WRITE"
],
"revoke"
: []
},
"policy:/"
: {
"grant"
: [
"READ"
,
"WRITE"
],
"revoke"
: []
},
"message:/"
: {
"grant"
: [
"READ"
,
"WRITE"
],
"revoke"
: []
}
}
},
"observer"
: {
"subjects"
: {
"iot-suite:eebbb40e-xxxx-xxxx-xxxx-f79a4653946b"
: {
"type"
:
"suite-auth-client"
}
},
"resources"
: {
"thing:/features/featureX"
: {
"grant"
: [
"READ"
],
"revoke"
: []
},
"thing:/features/featureY"
: {
"grant"
: [
"READ"
],
"revoke"
: []
},
"thing:/features/featureY/properties/location/city"
: {
"grant"
: [],
"revoke"
: [
"READ"
]
}
}
}
}
}
The IDs from the example above are just example values.
The policy can be found:
Via GET request at /api/2/policies/<policyId>, and
Via GET request at /api/2/things/{thingId}/policyId
At any thing itself in its JSON representation.
A common get thing request, does not include the full policy by default, but you can be retrieve it by appending the field _policy as a query parameter
e.g. /api/2/things/<thingId>?fields=_policy
In case of doubt, add for each role an own policy entry (label), and later add the subject which you need to empower in the specific section.
Further reading
The concept is detailed at Policy of a thing.