Bosch IoT Device Management

Manage a policy via Bosch IoT Suite UI

Goal

Let us assume, you will later have multiple digital twins and multiple users, and you need to define somewhere who is able to interact with which specific device.

The easiest way to store such access control type of information is the policy. Each thing is associated with exactly one policy and there you can store such read and write permissions for various subjects.

In this tutorial you will enrich the policy with a user ID and give him full control, as if he was someone you will sell this device and he will be the owner.

For simplicity, you will add your own Bosch ID in the DEFAULT policy entry.

As you can manage the thing anyway, this new entry is useful in cases where an application can accept a token issued by the Bosch ID authentication service.

Procedure

Navigate to the Bosch IoT Suite UI:

  1. Click the Things view.

  2. Select your thing.

  3. Click Policy.

  4. Click the + icon to add a completely new entry

  5. Set the Label to CUSTOMER.

  6. Click the + icon, to add a subject.

  7. The Issuer (prefix) is pre-set to bosch

  8. The ID needs to be a Bosch ID according to the prefix

    1. Click your user icon (in the top bar) to open the details and copy your Bosch ID.

    2. Paste it in the ID field.

  9. The Type is informational (e.g. Bosch ID, google-id, suite-auth).

  10. Confirm with OK.

  11. Click the + icon to add Resources,

  12. The Path can be thing:/ - meaning all attributes and features can be accessed.

  13. Grant Permissions can be grated to read and write.

  14. Save.

images/confluence/download/attachments/1634788010/hello-world-policy.png

Result

The user has now

  • full control on all paths for the thing:/ - allowing to add new attributes and features on this hello world thing.

  • no access to

    • messages:/ - i.e. not allowed to send a message directly to the device

    • policy:/ - i.e. not allowed to change the content of this policy document (e.g. add new entries to grant or restrict access to other users or applications)

You can see the change in a new table entry, and also in the JSON section.

In real life, whenever possible. try to avoid giving someone access to the policy:/ path, as it would empower the respective subject to modify the policy itself and to lock you out.

See further policy examples at Policy examples.