Optional time limit in policy

This example assumes you have added a policy entry named guest, which allows the subject (i.e. a Bosch ID) to read thing data until the May 1st 2021.

Example

{
"policyId": "my.namespace:policy-x",
"entries": {
"DEFAULT": {
"subjects": {
"iot-suite:/service-instance.xxx-your-serice-instance-id-xxx.iot-things": {
"type": "suite-auth"
}
},
"resources": {
"thing:/": {
"grant": ["READ", "WRITE"],
"revoke": []
},
"policy:/": {
"grant": ["READ", "WRITE"],
"revoke": []
},
"message:/": {
"grant": ["READ", "WRITE"],
"revoke": []
}
}
},
"guest": {
"subjects": {
"bosch:xxx-your-Bosch-id-xxx": {
"type": "Bosch ID",
"expiry": "2021-05-01T12:00:00Z",
"announcement": {
"beforeExpiry": "1d",
"whenDeleted": true
}
}
},
"resources": {
"thing:/": {
"grant": [
"READ"
],
"revoke": []
}
}
}
}

Once the timestamp defined in the expiry field (line 29) is reached, the Things service will automatically delete the specific subject field and thus prohibit the access for the specific subject.

In our example the "guest" entry will be removed completely as the time limited subject was the only subject in the entry.

The timestamp is set as string in ISO-8601 format. For simplicity, we will round it up to the next full hour.

Announcement options

In case your scenario requires that someone is informed about the expiry, this needs to be addressed separately.

Example

Use the Bosch IoT Things UI, section Connections/Integrations.

  • Add a HTTP connection to your receiver endpoint.

  • At the Target section, check the box for Policy announcements.

An announcement would look like the following snippet.

{
"topic": "your.namespace/the_policy_id/policies/announcements/subjectDeletion",
"headers": {
"correlation-id": "xxx",
"content-type": "application/json"
},
"path": "/",
"value": {
"deleteAt": "2021-05-01T16:05:55Z",
"subjectIds": [
"integration:your-service-instance-id:your-client-1",
"integration:your-service-instance-id:your-client-2"
]
}
}