Table of contents:

Introduction

Authorization is controlled via roles or scopes provided within the OAuth2 Json Web Token. The management of these roles or scopes and how the user can request them is in the responsibility of the customer and their Identity Provider (e.g. Bosch IdM, or Bosch User Hub). The mapping of roles provided in the JWT and the SOUP roles is done via the SOUP Tenant configuration.

Roles

Role name	Description	Interface
SYSTEM_ADMIN	Role for managing the tenant configuration (e.g. validation rules, template). Therefore, access to tenant configuration.	Management API/UI
TAG_ADMIN	Role for managing tags (e.g. to group recipes for dedicated products). Therefore, access to tags including their visibility to systems.	Management API/UI
APPROVE	Role for implementing 4-eyes principle before releasing a recipe. Therefore, full read access on recipes to inspect the recipe which shall be approved. In addition, possibility to approve or deny the requested release.	Management API/UI
TEST_INSTALLER	Full access to Install API. Access to recipes in state RELEASE_CANDIDATE, RELEASED, REVOKED, INACTIVE	Install API
BASIC	Role for general read access.	Management API/UI
UPDATE_COORDINATOR	Role for managing recipes. Therefore, full access on recipes and read access to systems.	Management API/UI

Scopes

Scope name	Description	Interface
management-full-access	Full access to Management API.	Management API
management-advanced-access	Technical access similar to Update Coordinator role, for managing recipes from CI/CD.	Management API
management-basic-access	Read-only access for reporting or monitoring purposes.	Management API
install-access	Access to Install API, with recipes in state `RELEASED`, `REVOKED`, `INACTIVE`.	Install API
install-test-access	Access to Install API, with recipes in state `RELEASE_CANDIDATE`, `RELEASED`, `REVOKED`, `INACTIVE`.	Install API

API to role and scope mapping

Install API - Recipes	SYSTEM_ADMIN	TAG_ADMIN	APPROVE	TEST_INSTALLER	BASIC	UPDATE_COORDINATOR	install-access	install-test-access	management-full-access	management-advanced-access	management-basic-access
[GET] /api/install/v1/recipes	-	-	-		-	-			-	-	-
[GET] /api/install/v1/recipes/{recipeId}	-	-	-		-	-			-	-	-
[GET] /api/install/v1/recipes/{recipeId}/signatures	-	-	-		-	-			-	-	-
[GET] /api/install/v1/recipes/{recipeId}/signatures/{signatureId}/file	-	-	-		-	-			-	-	-
[GET] /api/install/v1/recipes/{recipeId}/signature	-	-	-		-	-			-	-	-
[GET] /api/install/v1/recipes/{recipeId}/file	-	-	-		-	-			-	-	-

Install API - System Feedback	SYSTEM_ADMIN	TAG_ADMIN	APPROVE	TEST_INSTALLER	BASIC	UPDATE_COORDINATOR	install-access	install-test-access	management-full-access	management-advanced-access	management-basic-access
[POST] /api/install/v1/system-reports	-	-	-		-	-			-	-	-
[POST] /api/install/v1/update-reports	-	-	-		-	-			-	-	-

Install API - Artifacts	SYSTEM_ADMIN	TAG_ADMIN	APPROVE	TEST_INSTALLER	BASIC	UPDATE_COORDINATOR	install-access	install-test-access	management-full-access	management-advanced-access	management-basic-access
[GET] /api/install/v1/software-artifacts/{artifactId}/file	-	-	-		-	-			-	-	-

Install API - Module Configuration	SYSTEM_ADMIN	TAG_ADMIN	APPROVE	TEST_INSTALLER	BASIC	UPDATE_COORDINATOR	install-access	install-test-access	management-full-access	management-advanced-access	management-basic-access
[GET] /api/install/v1/module-config	-	-	-		-	-			-	-	-

Management API - Systems	SYSTEM_ADMIN	TAG_ADMIN	APPROVE	TEST_INSTALLER	BASIC	UPDATE_COORDINATOR	install-access	install-test-access	management-full-access	management-advanced-access	management-basic-access
[GET] /api/mgmt/v1/systems	-	-	-	-			-	-
[DELETE] /api/mgmt/v1/systems	-	-	-	-	-		-	-		-	-
[GET] /api/mgmt/v1/systems/{systemId}	-	-	-	-			-	-
[DELETE] /api/mgmt/v1/systems/{systemId}	-	-	-	-	-		-	-		-	-
[GET] /api/mgmt/v1/system-actions	-	-	-	-			-	-
[GET] /api/mgmt/v1/system-actions/{systemActionId}	-	-	-	-			-	-
[GET] /api/mgmt/v1/system-actions/{systemActionId}/status	-	-	-	-			-	-

Management API - Modules	SYSTEM_ADMIN	TAG_ADMIN	APPROVE	TEST_INSTALLER	BASIC	UPDATE_COORDINATOR	install-access	install-test-access	management-full-access	management-advanced-access	management-basic-access
[GET] /api/mgmt/v1/modules	-	-	-	-			-	-
[DELETE] /api/mgmt/v1/modules	-	-	-	-	-		-	-		-	-
[GET] /api/mgmt/v1/modules/{moduleId}	-	-	-	-			-	-
[DELETE] /api/mgmt/v1/modules/{moduleId}	-	-	-	-	-		-	-		-	-

Management API - Recipe Tags	SYSTEM_ADMIN	TAG_ADMIN	APPROVE	TEST_INSTALLER	BASIC	UPDATE_COORDINATOR	install-access	install-test-access	management-full-access	management-advanced-access	management-basic-access
[GET] /api/mgmt/v1/recipe-tags	-		-	-			-	-
[POST] /api/mgmt/v1/recipe-tags	-		-	-	-	-	-	-		-	-
[GET] /api/mgmt/v1/recipe-tags/{id}	-		-	-			-	-
[PUT] /api/mgmt/v1/recipe-tags/{recipeTagId}	-		-	-	-	-	-	-		-	-
[DELETE] /api/mgmt/v1/recipe-tags/{recipeTagId}	-		-	-	-	-	-	-		-	-

Management API - Tenant Configuration	SYSTEM_ADMIN	TAG_ADMIN	APPROVE	TEST_INSTALLER	BASIC	UPDATE_COORDINATOR	install-access	install-test-access	management-full-access	management-advanced-access	management-basic-access
[GET] /api/mgmt/v1/tenant-config		-	-	-	-	-	-	-		-	-
[POST] /api/mgmt/v1/tenant-config		-	-	-	-	-	-	-		-	-
[GET] /api/mgmt/v1/tenant-config/{configKey}		-	-	-	-	-	-	-		-	-
[POST] /api/mgmt/v1/tenant-config/{configKey}		-	-	-	-	-	-	-		-	-

Management API - Jobs	SYSTEM_ADMIN	TAG_ADMIN	APPROVE	TEST_INSTALLER	BASIC	UPDATE_COORDINATOR	install-access	install-test-access	management-full-access	management-advanced-access	management-basic-access
[GET] /api/mgmt/v1/jobs/recipe-match	-	-		-			-	-

Management API - Recipes	SYSTEM_ADMIN	TAG_ADMIN	APPROVE	TEST_INSTALLER	BASIC	UPDATE_COORDINATOR	install-access	install-test-access	management-full-access	management-advanced-access	management-basic-access
[GET] /api/mgmt/v1/recipes	-	-		-			-	-
[POST] /api/mgmt/v1/recipes	-	-	-	-	-		-	-			-
[GET] /api/mgmt/v1/recipes/import	-	-	-	-	-		-	-			-
[GET] /api/mgmt/v1/recipes/{recipeId}	-	-		-			-	-
[PUT] /api/mgmt/v1/recipes/{recipeId}	-	-	-	-	-		-	-			-
[DELETE] /api/mgmt/v1/recipes/{recipeId}	-	-	-	-	-		-	-		-	-
[POST] /api/mgmt/v1/recipes/{recipeId}/export	-	-	-	-			-	-
[POST] /api/mgmt/v1/recipes/{recipeId}/clone	-	-	-	-	-		-	-			-
[GET] /api/mgmt/v1/recipes/{recipeId}/metadata	-	-		-			-	-
[POST] /api/mgmt/v1/recipes/{recipeId}/metadata	-	-	-	-	-		-	-			-
[GET] /api/mgmt/v1/recipes/{recipeId}/file	-	-		-			-	-

Management API - Recipes - Tags	SYSTEM_ADMIN	TAG_ADMIN	APPROVE	TEST_INSTALLER	BASIC	UPDATE_COORDINATOR	install-access	install-test-access	management-full-access	management-advanced-access	management-basic-access
[GET] /api/mgmt/v1/recipes/{recipeId}/tags	-	-		-			-	-
[POST] /api/mgmt/v1/recipes/{recipeId}/tags	-	-	-	-	-		-	-			-
[DELETE] /api/mgmt/v1/recipes/{recipeId}/tags	-	-	-	-	-		-	-		-	-

Management API - Recipes - System Distribution Sets	SYSTEM_ADMIN	TAG_ADMIN	APPROVE	TEST_INSTALLER	BASIC	UPDATE_COORDINATOR	install-access	install-test-access	management-full-access	management-advanced-access	management-basic-access
[GET] /api/mgmt/v1/recipes/{recipeId}/system-distribution-sets	-	-		-			-	-
[POST] /api/mgmt/v1/recipes/{recipeId}/system-distribution-sets	-	-	-	-	-		-	-			-
[GET] /api/mgmt/v1/recipes/{recipeId}/system-distribution-sets/{sysDsId}	-	-		-			-	-
[PUT] /api/mgmt/v1/recipes/{recipeId}/system-distribution-sets/{sysDsId}	-	-	-	-	-		-	-			-
[DELETE] /api/mgmt/v1/recipes/{recipeId}/system-distribution-sets/{sysDsId}	-	-	-	-	-		-	-		-	-
[GET] /api/mgmt/v1/recipes/{recipeId}/system-distribution-sets/{sysDsId}/metadata	-	-		-			-	-
[POST] /api/mgmt/v1/recipes/{recipeId}/system-distribution-sets/{sysDsId}/metadata	-	-	-	-	-		-	-			-

Management API - Recipes - Module Update Definitions	SYSTEM_ADMIN	TAG_ADMIN	APPROVE	TEST_INSTALLER	BASIC	UPDATE_COORDINATOR	install-access	install-test-access	management-full-access	management-advanced-access	management-basic-access
[GET] /api/mgmt/v1/recipes/{recipeId}/module-update-definitions	-	-		-			-	-
[POST] /api/mgmt/v1/recipes/{recipeId}/module-update-definitions	-	-	-	-	-		-	-			-
[GET] /api/mgmt/v1/recipes/{recipeId}/module-update-definitions/{modDefId}	-	-		-			-	-
[PUT] /api/mgmt/v1/recipes/{recipeId}/module-update-definitions/{modDefId}	-	-	-	-	-		-	-			-
[DELETE] /api/mgmt/v1/recipes/{recipeId}/module-update-definitions/{modDefId}	-	-	-	-	-		-	-		-	-
[POST] /api/mgmt/v1/recipes/{recipeId}/module-update-definitions/{modDefId}/up	-	-	-	-	-		-	-			-
[POST] /api/mgmt/v1/recipes/{recipeId}/module-update-definitions/{modDefId}/down	-	-	-	-	-		-	-			-
[GET] /api/mgmt/v1/recipes/{recipeId}/module-update-definitions/{modDefId}/metadata	-	-		-			-	-
[POST] /api/mgmt/v1/recipes/{recipeId}/module-update-definitions/{modDefId}/metadata	-	-	-	-	-		-	-			-

Management API - Recipe - Signatures	SYSTEM_ADMIN	TAG_ADMIN	APPROVE	TEST_INSTALLER	BASIC	UPDATE_COORDINATOR	install-access	install-test-access	management-full-access	management-advanced-access	management-basic-access
[GET] /api/mgmt/v1/recipes/{recipeId}/signatures	-	-		-			-	-
[POST] /api/mgmt/v1/recipes/{recipeId}/signatures	-	-	-	-	-		-	-			-
[GET] /api/mgmt/v1/recipes/{recipeId}/signatures/{signatureId}	-	-		-			-	-
[DELETE] /api/mgmt/v1/recipes/{recipeId}/signatures/{signatureId}	-	-	-	-	-		-	-		-	-
[GET] /api/mgmt/v1/recipes/{recipeId}/signatures/{signatureId}/file	-	-		-			-	-

Management API - Recipe - Lifecycle	SYSTEM_ADMIN	TAG_ADMIN	APPROVE	TEST_INSTALLER	BASIC	UPDATE_COORDINATOR	install-access	install-test-access	management-full-access	management-advanced-access	management-basic-access
[POST] /api/mgmt/v1/recipes/{recipeId}/revoke	-	-	-	-	-		-	-		-	-
[POST] /api/mgmt/v1/recipes/{recipeId}/release	-	-	-	-	-		-	-		-	-
[POST] /api/mgmt/v1/recipes/{recipeId}/promote	-	-	-	-	-		-	-			-
[POST] /api/mgmt/v1/recipes/{recipeId}/deny	-	-		-	-		-	-		-	-
[POST] /api/mgmt/v1/recipes/{recipeId}/demote	-	-	-	-	-		-	-			-
[POST] /api/mgmt/v1/recipes/{recipeId}/deactivate	-	-	-	-	-		-	-		-	-
[POST] /api/mgmt/v1/recipes/{recipeId}/approve	-	-		-	-	-	-	-		-	-

Management API - Recipe - Validation	SYSTEM_ADMIN	TAG_ADMIN	APPROVE	TEST_INSTALLER	BASIC	UPDATE_COORDINATOR	install-access	install-test-access	management-full-access	management-advanced-access	management-basic-access
[POST] /api/mgmt/v1/recipes/{recipeId}/validate	-	-	-	-	-		-	-			-
[GET] /api/mgmt/v1/recipes/{recipeId}/validation-report	-	-		-			-	-

Example OAuth2 JSON web token

The roles are listed in the ext section of the JWT token under com.bosch.roles. Scopes can be found in the scp section.

{
  "aud": [],
  "client_id": "{client_id}",
  "exp": 1706666674,
  "ext": {
    "com.bosch.roles": [
      "IDM2BCD_SOUP_12345678_SYSTEM_ADMIN",
      "IDM2BCD_SOUP_12345678_TAG_ADMIN",
      "IDM2BCD_SOUP_12345678_APPROVER",
      "IDM2BCD_SOUP_12345678_UPDATE_COORDINATOR", 
      "IDM2BCD_XXXXXXXXXXX"
    ],
    "email": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
    "orig_guid": {
      "sub": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
    },
    "orig_id": {
      "idp_id": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
      "iss": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
      "sub": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
      "username": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
    }
  },
  "iat": 1706623474,
  "iss": "https://access.bosch-iot-rollouts.com",
  "jti": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
  "nbf": 1706623474,
  "scp": [
    "tenant.<tenantid>/soup/management-full-access",
    "service:iot-rollouts-soup:<tenantid>/install-access",
    "offline_access"
  ],
  "sub": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
}