We previously announced the beta of the gateway access control API. We are pleased to announce we have extended this capability to include other subjects. It is now possible, within the Watson IoT Platform, to define groups of devices and allocate access to users and applications to those device groups.
Building blocks for secure IoT solutions
At the inception of the Watson IoT Platform, it was possible for users and applications to carry out a wide range of actions on any of the devices and objects connected to the Watson IoT Platform. Over time we have provided incremental enhancements to security following feedback and collaboration from Watson IoT Platform customers. We have previously announced the ability to control access to the Watson IoT Platform by authorizing permissions to resources using predefined and custom roles for applications, and users. This provided some level of control and flexibility.
Incrementing security by design for the Watson IoT Platform
The latest improvements to the Watson IoT Platform allows you to control the access that specific subjects have to groups of devices that you define. In this release, the subjects that you can manage in relation to these access groups are members (users) and API keys (applications). With these new features, you will be able to programmatically define groups of devices and then assign users and applications access to those devices. You can read the official documentation to find out more about the concepts, terminology and to get an overview of resource-level access control in the Watson IoT Platform.
It is worth emphasizing that subjects with access to a group have access to all members of that group. A subject can be assigned access (and a role) to one or more resource groups.
A subject may have access to all the members of a group, but they will still only be able to carry out actions in alignment with the role and permissions that the subject has been granted. For example, if a subject only has reader access and is given access to only one group then that subject will only be able to see the devices and data pertaining to those devices that are allocated to the group.
This beta release targets a set of Watson IoT Platform APIs across different categories such as:
- Individual Device APIs: for example listing device types, or retrieving devices registered by a gateway
- Bulk Device APIs: for example listing and deleting devices in bulk
- Device Management APIs: for example listing and viewing device management requests and device details
- Problem Determination APIs: for example retrieving connection logs, or adding device error codes
- Last Event Cache APIs: for example getting a list of events or specific events for devices from the last event cacheMore information about the specific scope of this beta is captured in the ‘APIs where resource-level access control is enforced’ section of the official documentation.There is a simple process flow, as indicated below, and documented in detail in the official documentation for configuring resource-level access control.
If you do not enable and configure resource-level access control then users and applications will continue to operate unrestricted, meaning that they can access and manage all devices within their Watson IoT Platform organization.
We encourage you to explore these beta features and provide feedback.