Solution policy
The solution policy defines the access rules for your digital twin instance. The solution policy ID is defined automatically by our service at the time of subscribing the service, thus you will not be able to set a different ID (e.g. like you could do it for a thing entity).
Find your solution policy ID at the dashboard’s Basic data tab.
The ID follows the pattern com.bosch.iot.things.solution:<your-service-instance-id>.
Someone who was granted WRITE permission at the solution root resource (i.e. solution:/) is allowed to manage the solution itself.
Resource |
Addressed data, description |
solution:/ |
The solution itself (top-level). |
solution:/namespaces |
Applies to all namespaces of the solution. See also Namespace policy in case you need to restrict who is allowed to create things or thing policies of specific namespace. |
solution:/connections |
Applies to all connections of the solution. |
solution:/connections/<connectionId> |
Applies to the specific connection with the given connectionId. |
solution:/connections/<connectionId>/status |
Applies to the status of the specific connection with the given connectionId. |
solution:/connections/<connectionId>/metrics |
Applies to all metrics of the specific connection with the given connectionId. |
solution:/connections/<connectionId>/metrics/etc. |
Applies to specific metrics of the specific connection with the given connectionId. |
solution:/connections/<connectionId>/logs |
Applies to all logs of the specific connection with the given connectionId. |
solution:/connections/<connectionId>/logs/etc. |
Applies to specific log entries of the specific connection with the given connectionId. |
Editing the solution policy is pretty similar to editing any other policy.
While any change can turn out quite powerful and can only be undone via a new request by someone who is authorized, the rule number one is: do not lock yourself out.
Further, it is not recommended to empower other users to write the policy, as these could also result in locking you out, either by mistake or by purpose.
Manage your solution programmatically
In some cases, it is useful to manage your solution programmatically.
By default a solution's policy looks like the following.
{
"policyId"
:
"com.bosch.iot.things.solution:<your-service-instance-id>"
,
"entries"
: {
"DEFAULT"
: {
"subjects"
: {
"bosch:<bosch-id-of-the-one-who-triggered-the-subscription>"
: {
"type"
:
"generated"
},
"iot-suite:/organization.<org-guid>.Developer"
: {
"type"
:
"generated"
},
"iot-suite:/organization.<org-guid>.Manager"
: {
"type"
:
"generated"
},
"iot-suite:/organization.<org-guid>.Owner"
: {
"type"
:
"generated"
},
"iot-suite:/service-instance.<your-service-instance-id>.iot-things@iot-things"
: {
"type"
:
"generated"
}
},
"resources"
: {
"policy:/"
: {
"grant"
: [
"READ"
,
"WRITE"
],
"revoke"
: []
},
"solution:/"
: {
"grant"
: [
"READ"
,
"WRITE"
],
"revoke"
: []
}
}
},
"DEFAULT_SOLUTION_MANAGEMENT"
: {
"subjects"
: {
"iot-suite:/service-instance.<your-service-instance-id>.iot-things@developer-console"
: {
"type"
:
"generated suite auth client subject"
}
},
"resources"
: {
"solution:/"
: {
"grant"
: [
"READ"
,
"WRITE"
],
"revoke"
: []
}
}
}
}
}
The subjects "iot-suite:/organization.<org-guid>.Developer", "iot-suite:/organization.<org-guid>.Manager", and "iot-suite:/organization.<org-guid>.Owner" are added by default at subscription time for new subscriptions after June 24, 2021.
If your subscription is older, feel free to manually add those entries to your solution's policy. This will enable your team to manage all solutions sub-resources like namespaces, connections, clients etc. see all at apidocs > Bosch IoT Things > Solutions.