Policy of a solution

The solution policy defines the access rules for your solution.

tip Editing the solution policy is pretty similar to editing any other policy. While any change can turn out quite powerful and can only be undone via a new request by someone who is authorized, the rule number one is: do not lock yourself out. Further, it is not recommended to empower other users to write the policy, as these could also result in locking you out, either by mistake or by purpose.

Manage your solution programmatically

In some cases, it is useful to manage your solution programmatically.

In case your solution credentials do not contain a solution secret, but you need to access the solution resource by API, use your Bosch ID to authenticate. For such subscriptions, most probably, you have used your Bosch ID at the time of booking, and as a result, your Bosch ID is listed as authorized subject.

If you want to avoid implementing logic to retrieve an access token, you can add additional subjects to the DEFAULT entry of your solution policy. The example below shows a default solution policy with an additional iot-permissions subject. The placeholder of a technical ID of a user managed by Bosch IoT Permissions is marked xxx.

Warning: This permissions user will be able to change the policy too.

  {
    "policyId": "com.bosch.iot.things.solution:${your-solution-id}",
    "entries": {
      "DEFAULT": {
        "subjects": {
          "${default-subject}": {
            "type": "generated"
          },
          "iot-permissions:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx": {
            "type": "iot-permissions-userid"
          }
        },
        "resources": {"...original..":".. content.."}
      }
    }
  }

Adding a new entry

tip As the risk to mess up your default policy is pretty high, we recommend adding a new entry.

If you just want to grant access to a specific part of your solution, create a separate policy entry containing the resources you’d like to share.

  {
    "policyId": "com.bosch.iot.things.solution:${your-solution-id}",
    "entries": {
      "DEFAULT": { "...original..":".. content.."
       },
      "other-users": {
        "subjects": {
          "iot-permissions:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx": {
            "type": "iot-permissions-userid"
          },
          "bosch:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx": {
            "type": "bosch-id"
          },
          "google:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx": {
            "type": "google-id"
          }
        },
        "resources": {
          "solution:/": {
            "grant": ["READ"],
            "revoke": []
          }
        }
      }
    }
  }

See Policies for more details on the concept.

The Hello World tutorial gives an easy first introduction in editing a policy, however there the focus is on changing the access to a specific thing.

Example - connection metrics

Given, you want to programmatically empower an application to read the metrics on connection “TEST-connection” (managed within your solution) you will need to proceed as follows:

  • Authenticate as someone who is allowed to change the solution policy.
  • Change the solution policy by adding a new entry with the respective authorization subject as shown in the example snippet above.

    {
    "subjects": {
      "iot-things:<your-soultion-ID>:metrics-app": {
          "type": "iot-things-clientid"
      }
    },
    "resources": {
      "solution:/connections/<your-TEST-connection-ID>/metrics": {
       "grant": [ "READ" ],
       "revoke": [ ]
      }
    }
    }

As a result, the new subject is allowed to request the metrics as described in our Solution HTTP API docs.

tip In case your application is not interested in all metrics, you can even empower it to read a deeper level, e.g.
solution:/connections/<your-TEST-connection-ID>/metrics/connectionMetrics/consumed or
solution:/connections/<your-TEST-connection-ID>/metrics/connectionMetrics/enforced/success
as long as the path you describe follows the schema of a connection.

Imprint Legal info Privacy statement