Authorization is handled separately
for Direct Device Integration (DDI) API, Device Management Federation (DMF) API, and Service Integration Event (SIE) API - a successful authentication includes full authorization
for Management API and Management UI authorization is based on permissions.
Table of contents:
Management API and Management UI
The Bosch IoT Rollouts permissions grant access to different repository functionality and data.
By default in the Cloud User scenario a root user will be generated including username and password. This root user is granted with all permissions. Additional Bosch account registered users can be added by User management view in the Management UI.
Target entities including metadata (that includes also the installed and assigned distribution sets)
Target registration rules
Permission to read the target security token. The security token is security concerned and should be protected.
Permission to download artifacts of a software module (Note: READ_REPOSITORY allows only to read the metadata).
Permission to administrate the tenant settings.
Permission to provision targets through rollouts (not included in starter plan).
Access to User Management view
Manage the permissions of users via UI and API
Access to Role Management view
Manage the permissions of roles via UI and API
Replaces User Management if an own identity provider is configured
Some uses cases need more than one permission.
Search targets by installed or assigned distribution set
Assign DS to a target
Assign DS to target through a Rollout, i.e. Rollout creation and start
READ_REPOSITORY, CREATE_ROLLOUT, HANDLE_ROLLOUT
Read Rollout status including its deployment groups
Checks targets inside Rollout deployment group
Direct Device Integration API
An authenticated target is permitted to:
retrieve commands from the server.
provide feedback to the server.
download artifacts that are assigned to it.
A target might be permitted to download artifacts without authentication. This option is available on EU-2 only and disabled by default (see Anonymous download).
Device Management Federation API
The RabbitMQ vhost and user is provided with the necessary permissions to send messages to Rollouts through the exchange and receive messages from it through the specified queue. In addition, the permission exists for an application to create their own queues and exchanges and in combination with the reply to header tell Rollouts to send all messages into that setup.
In case the DMF API is disabled, the respective queues, exchanges, bindings and messages will remain and will not be deleted.
Service Integration Event API
The RabbitMQ vhost and user is provided with the necessary permissions to receive messages from Rollouts through the specified queue. The necessary queues, exchanges and bindings are created automatically when the SIE API is enabled.
If the SIE API is later disabled, the respective exchanges, queues and bindings are deleted, along with any messages in the queue.