Manually add organization roles to the policy of a solution

This procedure is only needed for subscriptions older than June 24 2021, where the organization roles have not been added automatically at subscription time.

For new subscriptions, this is not necessary and the team members added to your organization can access by default the Things solutions resources by API (e.g. create connections, namespaces, etc.),
if they authenticate with an SuiteAuth token comprising their organization role. See example Create a Suite Auth client for an organization rile.

Precondition

You are the user who provisioned the subscription.

Get your solution policy

  1. Open the Bosch IoT Things UI.

  2. Copy the API token.

  3. Copy the policy ID of your Things instance.

    images/confluence/download/attachments/1794841380/solution-policy-id.png
  4. Open the apidocs > Bosch IoT Things > Policy

  5. Authenticate with the API token from step 2, and check the box for the Bosch ID authorization.

    images/confluence/download/attachments/1794841380/Things-apidoc-auth-for-solutionpng.png
  6. Open the section GET /policies​/{policyId}

  7. Click Try it out to get access to the entry fields.

  8. Set the policyId of your service instance from step 3.
    E.g. com.bosch.iot.things.solution:you-solution-id

  9. Execute.

If the DEFAULT part misses the subjects with your organization roles, you can add them manually.

"subjects": {
"iot-suite:/organization.<org-guid>.Owner": {
"type": "generated"
},
"iot-suite:/organization.<org-guid>.Developer": {
"type": "generated"
},
"iot-suite:/organization.<org-guid>.Manager": {
"type": "generated"
}
}

Change a part of the solution policy

  1. Navigate to PUT ​/policies​/{policyId}​/entries​/{label}​/subjects​/{subjectId}

  2. Click Try it out to get access to the entry fields.

  3. Set the policyId to the ID from above.

  4. Set the label to DEFAULT.

  5. Set the subjectId to the role
    Use the exact notation how you see it at https://accounts.bosch-iot-suite.com/oauth2-clients/ when you try to create a client "iot-suite:/organization.xxx.Developer"

  6. Set the type in the Request body.

    {
    "type": "team-developer-role"
    }
  7. Execute.