Required Policy actions by Industrial IoT services¶
Protecting the business resources (like Assets, Events, IoT Files, TimeSeries data, Data Lake files/folders) requires certain mandatory actions to be specified in Policy definitions; failing which, operation will be denied.
API access is controlled at different levels; role-based and policy-based.
Role based access control¶
To access any API, user need to have the respective roles listed in Roles & Scopes for Applications.
Policy based access control¶
Secure Data Sharing (SDS) enables you to create and manage fine-grained access rights. It is based on industry standard paradigm Policy Based Access Control (PBAC). Here policy describes a given set of subjects and is allowed to perform a given set of actions on a specified set of resources.
If tenant is SDS(Secure Data Sharing) enabled, then due to "denial by default" approach, even if user has needed roles to manage resources, user would not be able to perform operations on some of the service APIs. Details about SDS and how to create policy can be found in Policies.
Note
- For more details about actions and their dependencies refer Action Details and Dependencies among Actions
- Dependent action(s) need to be explicitly added in Policy definition along with the parent action
The following sections describe the mandatory action(s) required by respective service APIs.
Asset Management¶
Here is the list of Asset Management APIs that are protected through Resource Access Management policies, along with the required fine-grained actions. For further API details please refer Asset Management API Specification
| API | Action Required |
|---|---|
| GET /assets | mdsp:core:assetmanagement:asset:read |
| POST /assets | mdsp:core:assetmanagement:asset:write (on parent asset) |
| GET /assets/{id} | mdsp:core:assetmanagement:asset:read |
| PUT /assets/{id} | mdsp:core:assetmanagement:asset:write |
| PATCH /assets/{id} | mdsp:core:assetmanagement:asset:write |
| DELETE /assets/{id} | mdsp:core:assetmanagement:asset:write |
| POST /assets/{id}/move | mdsp:core:assetmanagement:asset:write (on new parent asset; and also on the asset being moved) |
| PUT /assets/{id}/fileAssignments/{key} | mdsp:core:assetmanagement:asset:read |
| DELETE /assets/{id}/fileAssignments/{key} | mdsp:core:assetmanagement:asset:read |
| GET /assets/{id}/variables | mdsp:core:assetmanagement:asset:read |
| GET /assets/{id}/aspects | mdsp:core:assetmanagement:asset:read |
| PUT /assets/{id}/location | mdsp:core:assetmanagement:asset:write |
| DELETE /assets/{id}/location | mdsp:core:assetmanagement:asset:read |
Exceptions
- Only /assets APIs are SDS enabled, /assettypes and /aspecttypes APIs are not.
- The Root Assets are the assets with the asset type as
core.basicenterprise, these assets will be visible without any policy definition. - A user having the role
Tenant-Administratoris allowed unrestricted access to all the assets of the tenant. - A technical user has unrestricted access to all the assets of the tenant.
Event Management¶
Here is the list of Event Management APIs that are protected through Resource Access Management policies, along with the required fine-grained actions. For further API details please refer Event Management API Specification
| API | Action Required |
|---|---|
| GET /events | mdsp:core:eventmanagement:event:allow |
| POST /events | mdsp:core:eventmanagement:event:allow |
| GET /events/{eventId} | mdsp:core:eventmanagement:event:allow |
| PUT /events/{eventId} | mdsp:core:eventmanagement:event:allow |
| POST /createEventsJobs | mdsp:core:eventmanagement:event:allow |
Exceptions
- Only events APIs are SDS enabled. EventType APIs are not.
- Assets with the asset type such as
core.basicenterprise,core.basicsubtenant,core.sharerenterpriseare root assets. - All events operations for such root assets can be performed without any policy definition.
- A user having the role
Tenant-Administratoris allowed unrestricted access to all the events of the tenant. - A technical user has unrestricted access to all the events of the tenant.
Integrated Data Lake Service¶
Here is the list of Integrated Data Lake Service APIs that are protected through Resource Access Management policies, along with the required fine-grained actions. For further API details please refer Integrated Data Lake Service API Specification
| API | Action Required |
|---|---|
| POST /generateUploadObjectUrls | mdsp:core:idl:prefix:write |
| POST /generateDownloadObjectUrls | mdsp:core:idl:prefix:read |
| DELETE /objects/{path} | mdsp:core:idl:prefix:delete |
| DELETE /deleteObjectsJobs | mdsp:core:idl:prefix:delete |
| POST /timeSeriesImportJobs | mdsp:core:iotservices:timeseries:read |
IoT File Service¶
Here is the list of IoT File Service APIs that are protected through Resource Access Management policies, along with the required fine-grained actions. For further API details please refer IoT File Service API Specification
| API | Action Required |
|---|---|
| PUT /files/{entityId}/{filepath} | mdsp:core:iotservices:files:write |
| GET /files/{entityId}/{filepath} | mdsp:core:iotservices:files:read |
| DELETE /files/{entityId}/{filepath} | mdsp:core:iotservices:files:delete |
IoT Time Series Service¶
Here is the list of IoT Time Series APIs that are protected through Resource Access Management policies, along with the required fine-grained actions. For further API details please refer IoT Time Series Service API Specification
| API | API method | Action Required |
|---|---|---|
| To ingest timeseries data on single Asset/Aspect | PUT | mdsp:core:iotservices:timeseries:write_normal |
| To ingest timeseries data on multiple Asset/Aspect | PUT | mdsp:core:iotservices:timeseries:write_multiassetmultiaspect |
| To import high frequency timeseries data | POST | mdsp:core:iotservices:timeseries:write_bulk |
| To read ingested timeseries data | GET | mdsp:core:iotservices:timeseries:read |
| To delete timeseries data | DELETE | mdsp:core:iotservices:timeseries:delete |
| To read aggregated timeseries data | GET | mdsp:core:iotservices:timeseries:read |