Skip to content

Required Policy actions by Industrial IoT services

Protecting the business resources (like Assets, Events, IoT Files, TimeSeries data, Data Lake files/folders) requires certain mandatory actions to be specified in Policy definitions; failing which, operation will be denied.

API access is controlled at different levels; role-based and policy-based.

Role based access control

To access any API, user need to have the respective roles listed in Roles & Scopes for Applications.

Policy based access control

Secure Data Sharing (SDS) enables you to create and manage fine-grained access rights. It is based on industry standard paradigm Policy Based Access Control (PBAC). Here policy describes a given set of subjects and is allowed to perform a given set of actions on a specified set of resources.
If tenant is SDS(Secure Data Sharing) enabled, then due to "denial by default" approach, even if user has needed roles to manage resources, user would not be able to perform operations on some of the service APIs. Details about SDS and how to create policy can be found in Policies.

Note

  • For more details about actions and their dependencies refer Action Details and Dependencies among Actions
  • Dependent action(s) need to be explicitly added in Policy definition along with the parent action

The following sections describe the mandatory action(s) required by respective service APIs.

Asset Management

Here is the list of Asset Management APIs that are protected through Resource Access Management policies, along with the required fine-grained actions. For further API details please refer Asset Management API Specification

API Action Required
GET /assets mdsp:core:assetmanagement:asset:read
POST /assets mdsp:core:assetmanagement:asset:write (on parent asset)
GET /assets/{id} mdsp:core:assetmanagement:asset:read
PUT /assets/{id} mdsp:core:assetmanagement:asset:write
PATCH /assets/{id} mdsp:core:assetmanagement:asset:write
DELETE /assets/{id} mdsp:core:assetmanagement:asset:write
POST /assets/{id}/move mdsp:core:assetmanagement:asset:write (on new parent asset; and also on the asset being moved)
PUT /assets/{id}/fileAssignments/{key} mdsp:core:assetmanagement:asset:read
DELETE /assets/{id}/fileAssignments/{key} mdsp:core:assetmanagement:asset:read
GET /assets/{id}/variables mdsp:core:assetmanagement:asset:read
GET /assets/{id}/aspects mdsp:core:assetmanagement:asset:read
PUT /assets/{id}/location mdsp:core:assetmanagement:asset:write
DELETE /assets/{id}/location mdsp:core:assetmanagement:asset:read

Exceptions

  • Only /assets APIs are SDS enabled, /assettypes and /aspecttypes APIs are not.
  • The Root Assets are the assets with the asset type as core.basicenterprise, these assets will be visible without any policy definition.
  • A user having the role Tenant-Administrator is allowed unrestricted access to all the assets of the tenant.
  • A technical user has unrestricted access to all the assets of the tenant.

Event Management

Here is the list of Event Management APIs that are protected through Resource Access Management policies, along with the required fine-grained actions. For further API details please refer Event Management API Specification

API Action Required
GET /events mdsp:core:eventmanagement:event:allow
POST /events mdsp:core:eventmanagement:event:allow
GET /events/{eventId} mdsp:core:eventmanagement:event:allow
PUT /events/{eventId} mdsp:core:eventmanagement:event:allow
POST /createEventsJobs mdsp:core:eventmanagement:event:allow

Exceptions

  • Only events APIs are SDS enabled. EventType APIs are not.
  • Assets with the asset type such as core.basicenterprise, core.basicsubtenant, core.sharerenterprise are root assets.
  • All events operations for such root assets can be performed without any policy definition.
  • A user having the role Tenant-Administrator is allowed unrestricted access to all the events of the tenant.
  • A technical user has unrestricted access to all the events of the tenant.

Integrated Data Lake Service

Here is the list of Integrated Data Lake Service APIs that are protected through Resource Access Management policies, along with the required fine-grained actions. For further API details please refer Integrated Data Lake Service API Specification

API Action Required
POST /generateUploadObjectUrls mdsp:core:idl:prefix:write
POST /generateDownloadObjectUrls mdsp:core:idl:prefix:read
DELETE /objects/{path} mdsp:core:idl:prefix:delete
DELETE /deleteObjectsJobs mdsp:core:idl:prefix:delete
POST /timeSeriesImportJobs mdsp:core:iotservices:timeseries:read

IoT File Service

Here is the list of IoT File Service APIs that are protected through Resource Access Management policies, along with the required fine-grained actions. For further API details please refer IoT File Service API Specification

API Action Required
PUT /files/{entityId}/{filepath} mdsp:core:iotservices:files:write
GET /files/{entityId}/{filepath} mdsp:core:iotservices:files:read
DELETE /files/{entityId}/{filepath} mdsp:core:iotservices:files:delete

IoT Time Series Service

Here is the list of IoT Time Series APIs that are protected through Resource Access Management policies, along with the required fine-grained actions. For further API details please refer IoT Time Series Service API Specification

API API method Action Required
To ingest timeseries data on single Asset/Aspect PUT mdsp:core:iotservices:timeseries:write_normal
To ingest timeseries data on multiple Asset/Aspect PUT mdsp:core:iotservices:timeseries:write_multiassetmultiaspect
To import high frequency timeseries data POST mdsp:core:iotservices:timeseries:write_bulk
To read ingested timeseries data GET mdsp:core:iotservices:timeseries:read
To delete timeseries data DELETE mdsp:core:iotservices:timeseries:delete
To read aggregated timeseries data GET mdsp:core:iotservices:timeseries:read

Last update: November 27, 2023

Except where otherwise noted, content on this site is licensed under the Development License Agreement.