I’m pleased to announced that we now have an Access Control API for Gateways available in Beta.

This feature builds on our existing Gateway support which allows you to register and connect gateway devices to the Watson IoT Platform and allows the Gateways to act on behalf of their attached devices.  Gateways can send events on behalf of attached devices, listen for commands and actions intended for attached devices and even allow new devices to automatically get registered with the platform.

gateway
However, sometimes you need to more tightly control exactly what devices are permitted to communicate through a gateway. ¬†That’s often because gateways run in distant locations, where their security is more likely to be vulnerable to compromise. ¬†It’s important to be able to limit the capability of any device that might become compromised. ¬†The new Gateway Access Control API allows¬†you to control exactly which devices are allowed to communicate through it:

limitedgateway

Once you’ve registered a gateway, you can switch your gateway from the more permissive role of privileged gateway (PD_PRIVILEGED_GW_DEVICE) to a standard gateway role (PD_STANDARD_GW_DEVICE). ¬†In the example below a gateway called “MyLimitedGateway” with a type of “MyGateway” in organisation xfd8ls is assigned to become a standard gateway role.

PUT https://xfd8ls.internetofthings.ibmcloud.com/api/v0002/authorization/devices/g%3Axfd8ls%3AMyGateway%3AMyLimitedGateway/roles
BODY: 
{  
	"roles": [ 
		{ 
			"roleId": "PD_STANDARD_GW_DEVICE", 
			"roleStatus": 1 		
		}
	],  
	"rolesToGroups": {}
}

RESPONSE: 200 OK 
{
  "roles": [
    {
      "roleId": "PD_STANDARD_GW_DEVICE",
      "roleStatus": 1
    }
  ],
  "rolesToGroups": {
    "PD_STANDARD_GW_DEVICE": [
      "gw_def_res_grp:xfd8ls:MyGateway:MyLimitedGateway"
    ]
  }
}

This action automatically creates an empty group of devices – a device needs to be a member of that group to be able to communicate via the gateway. You can see the group is specified in the response as “gw_def_res_grp:xfd8ls:MyGateway:MyLimitedGateway”.

You can add devices to the group, in this example we add a device “dev2” of type “PI”:

PUT https://xfd8ls.internetofthings.ibmcloud.com/api/v0002/bulk/devices/gw_def_res_grp%3Axfd8ls%3AMyGateway%3AMyLimitedGateway/add
BODY:
[
  {
    "typeId": "PI",
    "deviceId": "dev2"
  }
]

RESPONSE: 200 OK 
[
  {
    "typeId": "PI",
    "deviceId": "dev2",
    "success": true
  }
]

Only those devices in the group can communicate through the gateway.

We can check the current members of the group:

GET https://xfd8ls.internetofthings.ibmcloud.com/api/v0002/bulk/devices/gw_def_res_grp%3Axfd8ls%3AMyGateway%3AMyLimitedGateway

RESPONSE: 200 OK 
{
  "results": [
    {
      "clientId": "d:xfd8ls:PI:dev2",
      "typeId": "PI",
      "deviceId": "dev2",
      "deviceInfo": {
        "serialNumber": "111111"
      },
      "registration": {
        "auth": {
          "id": "bernard@uk.ibm.com",
          "type": "person"
        },
        "date": "2015-10-05T10:51:35.000Z"
      },
      "groups": [
        "gw_def_res_grp:xfd8ls:MyGateway:MyLimitedGateway"
      ],
      "status": {
        "alert": {
          "enabled": false,
          "timestamp": "2015-10-05T10:51:35.756Z"
        }
      },
      "refs": {
        "diag": {
          "logs": "/api/v0002/device/types/PI/devices/dev2/diag/logs",
          "errorCodes": "/api/v0002/device/types/PI/devices/dev2/diag/errorCodes"
        },
        "location": "/api/v0002/device/types/PI/devices/dev2/location"
      }
    }
  ],
  "meta": {
    "facets": {},
    "total_rows": 1
  }
}

For full details of access control with gateways see the documentation.

This is Beta capability and we welcome feedback on the features and usability.

Join The Discussion

Your email address will not be published. Required fields are marked *