Skip to content

Required Policy actions by MindSphere services

Protecting the business resources (like Assets, Events, IoT Files, TimeSeries data, Data Lake files/folders) requires certain mandatory actions to be specified in Policy definitions; failing which, operation will be denied.

MindSphere API access is controlled at different levels; role-based and policy-based.

Role based access control

To access any MindSphere API, user need to have the respective roles listed in Roles & Scopes for Applications.

Policy based access control

Secure Data Sharing (SDS) enables you to create and manage fine-grained access rights. It is based on industry standard paradigm Policy Based Access Control (PBAC). Here policy describes a given set of subjects and is allowed to perform a given set of actions on a specified set of resources.
If tenant is SDS(Secure Data Sharing) enabled, then due to "denial by default" approach, even if user has needed roles to manage resources, user would not be able to perform operations on some of the service APIs. Details about SDS and how to create policy can be found in MindSphere Policies.

Note

  • For more details about actions and their dependencies refer Action Details and Dependencies among Actions
  • Dependent action(s) need to be explicitly added in Policy definition along with the parent action

The following sections describe the mandatory action(s) required by respective MindSphere service APIs.

Asset Management

Here is the list of Asset Management APIs that are protected through Resource Access Management policies, along with the required fine-grained actions. For further API details please refer Asset Management API Specification

API Action Required
GET /assets
  • mdsp:core:assetmanagement:asset:read
POST /assets
  • mdsp:core:assetmanagement:asset:write (on parent asset)
GET /assets/{id}
  • mdsp:core:assetmanagement:asset:read
PUT /assets/{id}
  • mdsp:core:assetmanagement:asset:write
PATCH /assets/{id}
  • mdsp:core:assetmanagement:asset:write
DELETE /assets/{id}
  • mdsp:core:assetmanagement:asset:write
POST /assets/{id}/move
  • mdsp:core:assetmanagement:asset:write (on new parent asset; and also on the asset being moved)
PUT /assets/{id}/fileAssignments/{key}
  • mdsp:core:assetmanagement:asset:read
DELETE /assets/{id}/fileAssignments/{key}
  • mdsp:core:assetmanagement:asset:read
GET /assets/{id}/variables
  • mdsp:core:assetmanagement:asset:read
GET /assets/{id}/aspects
  • mdsp:core:assetmanagement:asset:read
PUT /assets/{id}/location
  • mdsp:core:assetmanagement:asset:write
DELETE /assets/{id}/location
  • mdsp:core:assetmanagement:asset:read

Exceptions

  • Only /assets APIs are SDS enabled, /assettypes and /aspecttypes APIs are not.
  • The Root Assets are the assets with the asset type as core.basicenterprise, these assets will be visible without any policy definition.
  • A user having the role Tenant-Administrator is allowed unrestricted access to all the assets of the tenant.
  • A technical user has unrestricted access to all the assets of the tenant.

Event Management

Here is the list of Event Management APIs that are protected through Resource Access Management policies, along with the required fine-grained actions. For further API details please refer Event Management API Specification

API Action Required
GET /events
  • mdsp:core:eventmanagement:event:allow
POST /events
  • mdsp:core:eventmanagement:event:allow
GET /events/{eventId}
  • mdsp:core:eventmanagement:event:allow
PUT /events/{eventId}
  • mdsp:core:eventmanagement:event:allow
POST /createEventsJobs
  • mdsp:core:eventmanagement:event:allow

Exceptions

  • Only events APIs are SDS enabled. EventType APIs are not.
  • Assets with the asset type such as core.basicenterprise, core.basicsubtenant, core.sharerenterprise are root assets.
  • All events operations for such root assets can be performed without any policy definition.
  • A user having the role Tenant-Administrator is allowed unrestricted access to all the events of the tenant.
  • A technical user has unrestricted access to all the events of the tenant.

Integrated Data Lake Service

Here is the list of Integrated Data Lake Service APIs that are protected through Resource Access Management policies, along with the required fine-grained actions. For further API details please refer Integrated Data Lake Service API Specification

API Action Required
POST /generateUploadObjectUrls
  • mdsp:core:idl:prefix:write
POST /generateDownloadObjectUrls
  • mdsp:core:idl:prefix:read
DELETE /objects/{path}
  • mdsp:core:idl:prefix:delete
DELETE /deleteObjectsJobs
  • mdsp:core:idl:prefix:delete
POST /timeSeriesImportJobs
  • mdsp:core:iotservices:timeseries:read

IoT File Service

Here is the list of IoT File Service APIs that are protected through Resource Access Management policies, along with the required fine-grained actions. For further API details please refer IoT File Service API Specification

API Action Required
PUT /files/{entityId}/{filepath}
  • mdsp:core:iotservices:files:write
GET /files/{entityId}/{filepath}
  • mdsp:core:iotservices:files:read
DELETE /files/{entityId}/{filepath}
  • mdsp:core:iotservices:files:delete

IoT Time Series Service

Here is the list of IoT Time Series APIs that are protected through Resource Access Management policies, along with the required fine-grained actions. For further API details please refer IoT Time Series Service API Specification

API API method Action Required
To ingest timeseries data on single Asset/Aspect PUT
  • mdsp:core:iotservices:timeseries:write_normal
To ingest timeseries data on multiple Asset/Aspect PUT
  • mdsp:core:iotservices:timeseries:write_multiassetmultiaspect
To import high frequency timeseries data POST
  • mdsp:core:iotservices:timeseries:write_bulk
To read ingested timeseries data GET
  • mdsp:core:iotservices:timeseries:read
To delete timeseries data DELETE
  • mdsp:core:iotservices:timeseries:delete
To read aggregated timeseries data GET
  • mdsp:core:iotservices:timeseries:read

Any questions left?

Ask the community


Except where otherwise noted, content on this site is licensed under the MindSphere Development License Agreement.


Last update: April 1, 2022