Bosch IoT Device Management

Multi-user support

Despite the possibility to invite other users to an organization - see team concept and invitation procedure at Auth for subscription management - there are some limitations regarding their handling from the perspective of Bosch IoT Rollouts.

Known limitations

  • Removal of users not harmonized with team
    Once a user is granted access to a team, Bosch IoT Rollouts will create an authorization entry for such a user when he logs in to Bosch IoT Rollouts for the first time.
    This user-entry will still be visible also after the user has been removed from the team and cannot be removed.

  • No migration of campaigns started by a user which is going to be removed to another owner
    When a user is removed from a team, campaigns and assignments created by him are going to fail, as the background-jobs are running in the context of this user.
    There is no way to switch them to another user-context. Therefore, before removing an user, it must be ensured that all of his active campaigns are finished.

  • Fine-grained permissions not supported
    Once a user is granted access to a team, he will have access to all features of Bosch IoT Rollouts without any limitation.
    In other words, every user of the Bosch IoT Rollouts will have the same set of permissions as that of the tenant owner. This cannot be modified.

  • Grace period
    As the default Suite OAuth token is valid for one hour, it might be possible, that a user who has been removed from the team, but has just issued such a token, can still log in to Bosch IoT Rollouts until the access token becomes invalid.

  • Restricted things access to different users
    Restricting access to different things to different users is not yet fully supported. We recommend not to use it until further notice.

  • Restricted things access to Bosch IoT Rollouts
    It is expected that Bosch IoT Rollouts will have the same set of read and write permissions as that of Bosch IoT Manager and Bosch IoT Things.
    This must be considered while designing the policy of a thing.
    Below is an example of the required policy entries, subjects and permissions that you may follow as a template. This configuration works properly for Bosch IoT Hub, Things, Manager, and Rollouts all together. If your device does not communicate via Bosch IoT Hub, you do not need the DEVICE entry.