Bosch IoT Device Management

Minimum permission requirements for subjects

To ensure the proper work of Bosch IoT Device Management, you need to grant the permissions described below to the following subjects:

"iot-suite:/service-instance.<SERVICE_INSTANCE_ID>.iot-things@developer-console": {
"type": "suite-auth"
}
"iot-suite:/service-instance.<SERVICE_INSTANCE_ID>.iot-things@iot-manager": {
"type": "suite-auth"
}
"iot-suite:/service-instance.<SERVICE_INSTANCE_ID>.iot-things@iot-rollouts": {
"type": "suite-auth"
}
 
"integration:{SOLUTION_ID}:iot-manager": {
"type": "iot-things-integration"
}

To check your Service Instance ID and Solution ID, you can select the relevant subscription on your Service Subscriptions page and click 'Show Credentials' (see screenshot).

images/confluence/download/attachments/1634792152/dm_di_credentials1.png

Permissions

Device

As a minimum requirement, in order to make a device visible in Bosch IoT Manager you would need READ and WRITE permissions over the Info attributes of the thing which corresponds to the device. i.e. over the following resource in the Things policy:

thing:/attributes/Info.

Feature

In addition, depending on the features and/or attributes of the thing which you would like to manage via Bosch IoT Manager, you can add READ permissions over a whole feature or over a specific property of а feature:

thing:/features/X - over a whole feature

thing:/features/X/properties/Y - over a specific property of the feature.

Action

For every action which you will invoke via Bosch IoT Manager, you should have READ and WRITE permissions over the corresponding “message:/” resource, i.e.

message:/features/X - over all actions that can be invoked on the feature, or

message:/features/X/inbox/messages/Y - over a specific action that can be invoked on the feature.

Example

For example, if you use Bosch IoT Manager together with Bosch IoT Rollouts to make software updates, you need the following permissions over the SoftwareUpdatable feature of the thing:

"thing:/features/SoftwareUpdatable": {
"grant": [
"READ",
"WRITE"
],
"revoke": []
},
"message:/features/SoftwareUpdatable": {
"grant": [
"READ",
"WRITE"
],
"revoke": []
}

The aforementioned permissions will work for devices supporting SoftwareUpdatable 2.0.0. For devices supporting SoftwareUpdatable 1.0.0 the situation is more complex because it will also use multiple SoftwareModule features, which have dynamic IDs, and thus cannot be statically defined in the policy.

In this case, you should grant READ and WRITE permissions over all features of the thing:

"thing:/features": {
"grant": [
"READ",
"WRITE"
],
"revoke": []
}

Revoke Permissions

Finally, you can revoke permissions regarding all device-specific features which you do not want Bosch IoT Manager to access anymore:

"thing:/features/X": {
"grant": [
],
"revoke": [
"READ",
"WRITE"
]
}