The namespace policy defines who is allowed to create things or policies in the corresponding namespace.

With namespace policy you can restrict permissions to create things and policies specifically for each namespace.

A namespace policy is optional and by default not present.
A namespace without a policy means that every authenticated subject allowed to use the API in scope of your solution , is also allowed to create things and policies in that namespace.

However, in case you need to define creation restrictions, you can define a policy, potentially containing several policy entries which contain:

Subjects: defines who is allowed to create things or policies in the corresponding namespace.
This may be for example a Suite OAuth2 client, or a user who is allowed to manage the subscription, or a role like Owner, Manager, Developer.
Resources: can be "thing:/" and/or "policy:/"
No deeper levels of these resources can be referenced here, only root level is supported.
Permission: you can grant or revoke the "CREATE" permission.
No other permissions are currently supported for namespace policies.
As common in policies, a "revoke" is stronger than a "grant" on the same level, which is relevant if your authentication mechanism leads to that a user has several authorized subjects.

Namespace management

The namespace policy can be managed either by the HTTP API or via the Suite UI

APIdocs: Navigate to HTTP API Solutions - /solutions/{solutionId}/namespaces/{namespaceId}/policy
Suite UI: select Namespaces from the left navigation bar

Example 1

In example 1, the entry "DEFAULT" would grant permission to create things and policies only to users which have the role "Manager" within your organization.

{
  "entries": {
    "DEFAULT": {
      "subjects": {
        "iot-suite:/organization.<org-guid>.Manager": {
          "type": "users with Manager role"
        }
      },
      "resources": {
        "thing:/": {
          "grant": ["CREATE"],
          "revoke": []
        },
        "policy:/": {
          "grant": ["CREATE"],
          "revoke": []
        }
      }
    }
}

Example 2

The second entry "APPLICATION" grants the right to create things for a specific Suite OAuth client. As the Suite OAuth client has no permission to create new policies, it is only allowed to create things which reference an existing policy.

{
  "entries": {
    "APPLICATION": {
      "subjects": {
        "iot-suite:/service-instance.<your-service-instance-id>.iot-things@<client-id-used-for-application>": {
          "type": "Suite OAuth client"
        }
      },
      "resources": {
        "thing:/": {
          "grant": ["CREATE"],
          "revoke": []
        }
      }
    }
  }
}

Similar to the thing or solution policy, the namespace policy can hold multiple entries, which complement one another.