Authorization is handled separately

  • For Direct Device Integration (DDI) API, Device Management Federation (DMF) API, and Service Integration Event (SIE) API, a successful authentication includes full authorization
  • For Management API and Management UI, authorization is based on permissions.

Table of contents:

Management API and Management UI

The Bosch IoT Rollouts permissions grant access to different repository functionality and data.

By default, in the Cloud User scenario, a root user will be generated, including username and password. This root user is granted all permissions. Additional Bosch account registered users can be added by the User management view in the Management UI.

Delivered permissions

  • READ_/UPDATE_/CREATE_/DELETE_TARGETS for:
    • Target entities, including metadata (which includes also the installed and assigned distribution sets)
    • Target tags
    • Target actions
    • Target registration rules
    • Bulk operations
    • Target filters
  • READ_/UPDATE_/CREATE_/DELETE_REPOSITORY for:
    • Distribution sets
    • Software Modules
    • Artifacts
    • DS tags
  • READ_TARGET_SECURITY_TOKEN
    • Permission to read the target security token. The security token is security-sensitive and should be protected.
  • DOWNLOAD_REPOSITORY_ARTIFACT
    • Permission to download artifacts of a software module (Note: READ_REPOSITORY allows only to read the metadata).
  • TENANT_CONFIGURATION
    • Permission to administrate the tenant settings.
  • READ_/UPDATE_/CREATE_/DELETE_/HANDLE_ROLLOUT
    • Permission to provision targets through rollouts (not included in starter plan).
  • USER_MANAGEMENT
    • Access to the User Management view
    • Manage the permissions of users via UI and API
  • ROLE_MANAGEMENT
    • Access to the Role Management view
    • Manage the permissions of roles via UI and API
    • Replaces User Management if an own identity provider is configured

Permission matrix

Some use cases need more than one permission.

Use Case

Needed permissions

Search targets by installed or assigned distribution set

READ_TARGET, READ_REPOSITORY

Assign DS to a target

READ_REPOSITORY, UPDATE_TARGET

Assign DS to a target through a Rollout, i.e., Rollout creation, and start

READ_REPOSITORY, CREATE_ROLLOUT, HANDLE_ROLLOUT

Read a Rollout status, including its deployment groups

READ_ROLLOUT

Checks targets inside a Rollout deployment group

READ_TARGET, READ_ROLLOUT

Direct Device Integration API


An authenticated target is permitted to:

  • Retrieve commands from the server.
  • Provide feedback to the server.
  • Download artifacts that are assigned to it.

Device Management Federation API

The RabbitMQ vhost and user are provided with the necessary permissions to send messages to Rollouts via the exchange and receive messages from it through the specified queue. In addition, an application can create its own queues and exchanges, and, in combination with the reply-to header, tell Rollouts to send all messages to that setup.

In case the DMF API is disabled, the respective queues, exchanges, bindings, and messages will remain and will not be deleted.

Service Integration Event API

The RabbitMQ vhost and user are granted the necessary permissions to receive messages from Rollouts via the specified queue. The necessary queues, exchanges, and bindings are created automatically when the SIE API is enabled.

If the SIE API is later disabled, the respective exchanges, queues, and bindings are deleted, along with any messages in the queue.