Required Policy actions by Industrial IoT services¶
Protecting the business resources (like Assets, Events, IoT Files, TimeSeries data, Data Lake files/folders) requires certain mandatory actions to be specified in Policy definitions, failing which, the operation will be denied.
API access is controlled at different levels, role-based and policy-based.
Role based access control¶
To access any API, the user needs to have the respective roles listed in Roles & Scopes for Applications.
Policy based access control¶
Secure Data Sharing (SDS) enables you to create and manage fine-grained access rights. It is based on industry standard paradigm Policy Based Access Control (PBAC). Here, policy describes a given set of subjects and is allowed to perform a given set of actions on a specified set of resources.
If tenant is SDS enabled, then due to "denial by default" approach, even if user has the required roles to manage resources, the user would not be able to perform operations on some of the service APIs. More information about SDS and how to create policy can be found in Policies.
Note
- For more details about actions and their dependencies, refer Action Details and Dependencies among Actions.
- Dependent action(s) need to be explicitly added in Policy definition along with the parent action.
The following sections describe the mandatory actions required by respective service APIs.
Asset Management¶
Here is the list of Asset Management APIs that are protected through Resource Access Management policies, along with the required fine-grained actions. For further API details, refer Asset Management API Specification.
| API | Action Required |
|---|---|
| GET /assets | mdsp:core:assetmanagement:asset:read |
| POST /assets | mdsp:core:assetmanagement:asset:write (on parent asset) |
| GET /assets/{id} | mdsp:core:assetmanagement:asset:read |
| PUT /assets/{id} | mdsp:core:assetmanagement:asset:write |
| PATCH /assets/{id} | mdsp:core:assetmanagement:asset:write |
| DELETE /assets/{id} | mdsp:core:assetmanagement:asset:write |
| POST /assets/{id}/move | mdsp:core:assetmanagement:asset:write (on new parent asset; and also on the asset being moved) |
| PUT /assets/{id}/fileAssignments/{key} | mdsp:core:assetmanagement:asset:read |
| DELETE /assets/{id}/fileAssignments/{key} | mdsp:core:assetmanagement:asset:read |
| GET /assets/{id}/variables | mdsp:core:assetmanagement:asset:read |
| GET /assets/{id}/aspects | mdsp:core:assetmanagement:asset:read |
| PUT /assets/{id}/location | mdsp:core:assetmanagement:asset:write |
| DELETE /assets/{id}/location | mdsp:core:assetmanagement:asset:read |
Exceptions
- Only /assets APIs are SDS enabled, /assettypes and /aspecttypes APIs are not.
- The Root Assets are the assets with the asset type as
core.basicenterprise, these assets will be visible without any policy definition. - A user having the role
Tenant-Administratoris allowed unrestricted access to all the assets of the tenant. - A technical user has unrestricted access to all the assets of the tenant.
Event Management¶
Here is the list of Event Management APIs that are protected through Resource Access Management policies, along with the required fine-grained actions. For further API details, refer Event Management API Specification.
| API | Action Required |
|---|---|
| GET /events | mdsp:core:eventmanagement:event:allow |
| POST /events | mdsp:core:eventmanagement:event:allow |
| GET /events/{eventId} | mdsp:core:eventmanagement:event:allow |
| PUT /events/{eventId} | mdsp:core:eventmanagement:event:allow |
| POST /createEventsJobs | mdsp:core:eventmanagement:event:allow |
Exceptions
- Only events APIs are SDS enabled.
EventTypeAPIs are not SDS enabled. - Assets with the asset type such as
core.basicenterprise,core.basicsubtenant,core.sharerenterpriseare root assets. - All events operations for such root assets can be performed without any policy definition.
- A user having the role
Tenant-Administratoris allowed unrestricted access to all the events of the tenant. - A technical user has unrestricted access to all the events of the tenant.
Integrated Data Lake Service¶
Here is the list of Integrated Data Lake Service APIs that are protected through Resource Access Management policies, along with the required fine-grained actions. For further API details, refer Integrated Data Lake Service API Specification.
| API | Action Required |
|---|---|
| POST /generateUploadObjectUrls | mdsp:core:idl:prefix:write |
| POST /generateDownloadObjectUrls | mdsp:core:idl:prefix:read |
| DELETE /objects/{path} | mdsp:core:idl:prefix:delete |
| DELETE /deleteObjectsJobs | mdsp:core:idl:prefix:delete |
| POST /timeSeriesImportJobs | mdsp:core:iotservices:timeseries:read |
IoT File Service¶
Here is the list of IoT File Service APIs that are protected through Resource Access Management policies, along with the required fine-grained actions. For further API details, refer IoT File Service API Specification.
| API | Action Required |
|---|---|
| PUT /files/{entityId}/{filepath} | mdsp:core:iotservices:files:write |
| GET /files/{entityId}/{filepath} | mdsp:core:iotservices:files:read |
| DELETE /files/{entityId}/{filepath} | mdsp:core:iotservices:files:delete |
IoT Time Series Service¶
Here is the list of IoT Time Series APIs that are protected through Resource Access Management policies, along with the required fine-grained actions. For further API details, refer IoT Time Series Service API Specification.
| API | API method | Action Required |
|---|---|---|
| To ingest timeseries data on single Asset/Aspect | PUT | mdsp:core:iotservices:timeseries:write_normal |
| To ingest timeseries data on multiple Asset/Aspect | PUT | mdsp:core:iotservices:timeseries:write_multiassetmultiaspect |
| To import high frequency timeseries data | POST | mdsp:core:iotservices:timeseries:write_bulk |
| To read ingested timeseries data | GET | mdsp:core:iotservices:timeseries:read |
| To delete timeseries data | DELETE | mdsp:core:iotservices:timeseries:delete |
| To read aggregated timeseries data | GET | mdsp:core:iotservices:timeseries:read |