Control who may access your XDK as a Thing

At this point we assume you already managed to go through the Hello World tutorial and are familiar with our policy concept.

Read your policy

While registering your XDK the Things service automatically generates a default policy for you. This policy protects access to all things you registered with your account. The ID of your policy is returned as property “policyId” whenever you retrieve the data of your thing.

The policy contains the following entries:

  • owner - empowering you as the device owner with all privileges - even to disable other entries
  • connector - empowering the software stack (you have flashed the device with) to communicate the sensor values to our cloud service
  • admin - empowering an administrative user at Bosch IoT Things to read and write all resources - just for the case you need support

    {
    "policyId": "bosch.xdk:S-1-5-21-xxx",
    "entries": {
    "admin": {
      "subjects": {
        "iot-permissions:41cxxx-xxx-xxx6d9": {
          "type": "iot-permissions-userid"
        }
      },
      "resources": {
        "policy:/": {
          "grant": [
            "READ",
            "WRITE"
          ],
          "revoke": []
        },
        "thing:/": {
          "grant": [
            "READ",
            "WRITE"
          ],
          "revoke": []
        }
      }
    },
    "owner": {
      "subjects": {
        "bosch:<S-x-x-your-bosch-ID-xxx>@ciamids_3692D578-A9D4-406A-8675-0964925256AA": {
          "type": "bosch-id"
        }
      },
      "resources": {
        "policy:/": {
          "grant": [
            "READ",
            "WRITE"
          ],
          "revoke": []
        },
        "thing:/": {
          "grant": [
            "READ",
            "WRITE"
          ],
          "revoke": []
        },
        "message:/": {
          "grant": [
            "READ",
            "WRITE"
          ],
          "revoke": []
        }
      }
    },
    "connector": {
      "subjects": {
        "iot-things:xxx:lwm2m-connector": {
          "type": "iot-things-clientid"
        }
      },
      "resources": {
        "thing:/": {
          "grant": [
            "READ",
            "WRITE"
          ],
          "revoke": []
        }
      }
    }
    }
    }

Create a new user

The easiest way would be to use a second Bosch ID.

In a second step you would need to add the Bosch ID at your XDK’s policy.
At each request to read, update or delete a specific thing entity, the Things service will check if the subject has such permission.

Update your policy

Given your desired App is an Illumination-App that only needs to read values of the that feature.

Create a new policy entry label

  • Section Policies PUT /policies/{policyId}/entries/{label}
  • Click “Try it out
  • Set policyId: bosch.xdk:S-1-5-21-xxx
  • Set label: Illumination-App
  • Set policyEntry:

    {
    "subjects": {
     "bosch:<S-x-x-your-bosch-ID-xxx>@ciamids_3692D578-A9D4-406A-8675-0964925256AA": {
        "type": "bosch-id"
      }
    },
    "resources": {
      "thing:/features/IlluminanceSensor.0": {
        "grant": [
          "READ"
        ],
        "revoke": []
      }
    }
    }
  • Execute

Check your change

To make sure it is your new ID which may now read the values, proceed as follows:

  • Open the Authorize dialog
    • At section “OAuth2.0” click Logout
  • Re-open the Authorize dialog
    • Now log in with the second user
    • Click Authorize
  • Make sure the API token is still set
  • Select section “Things”
    • GET /things/{thingId}
    • Click Try it out
    • Set the thingId: bosch.xdk:xxx
    • Execute

Response body:

{
  "thingId": "bosch.xdk:xxx",
  "features": {
    "IlluminanceSensor.0": {
      "properties": {
        "status": {
          "minMeasuredValue": 120960,
          "minRangeValue": 0,
          "units": "mlx",
          "maxMeasuredValue": 198720,
          "sensorValue": 195840,
          "maxRangeValue": 188000000
        }
      }
    }
  }
}
Imprint Legal info Privacy statement