SOUP Authorization
Table of contents:
Introduction
Authorization is controlled via roles or scopes provided within the OAuth2 Json Web Token. The management of these roles or scopes and how the user can request them is in the responsibility of the customer and their Identity Provider (e.g. Bosch IdM, or Bosch User Hub).
Roles
|
Role name |
Description |
Interface |
|
SYSTEM_ADMIN |
Role for managing the tenant configuration (e.g. validation rules, template). Therefore, access to tenant configuration. |
Management API/UI |
|
TAG_ADMIN |
Role for managing tags (e.g. to group recipes for dedicated products). Therefore, access to tags including their visibility to systems. |
Management API/UI |
|
APPROVE |
Role for implementing 4-eyes principle before releasing a recipe. Therefore, full read access on recipes to inspect the recipe which shall be approved. In addition, possibility to approve or deny the requested release. |
Management API/UI |
|
TEST_INSTALLER |
Full access to Install API. Access to recipes in state RELEASE_CANDIDATE, RELEASED, REVOKED, INACTIVE |
Install API |
|
BASIC |
Role for general read access. |
Management API/UI |
|
UPDATE_COORDINATOR |
Role for managing recipes. Therefore, full access on recipes and read access to systems. |
Management API/UI |
Scopes
|
Scope name |
Description |
Interface |
|
management-full-access |
Full access to Management API. |
Management API |
|
management-advanced-access |
Technical access similar to Update Coordinator role, for managing recipes from CI/CD. |
Management API |
|
management-basic-access |
Read-only access for reporting or monitoring purposes. |
Management API |
|
install-access |
Access to Install API, with recipes in state RELEASED, REVOKED, INACTIVE. |
Install API |
|
install-test-access |
Access to Install API, with recipes in state RELEASE_CANDIDATE, RELEASED, REVOKED, INACTIVE. |
Install API |
API to role and scope mapping
|
Install API - Recipes |
SYSTEM_ADMIN |
TAG_ADMIN |
APPROVE |
TEST_INSTALLER |
BASIC |
UPDATE_COORDINATOR |
install-access |
install-test-access |
management-full-access |
management-advanced-access |
management-basic-access |
|
[GET] /api/install/v1/recipes |
- |
- |
- |
|
- |
- |
|
|
- |
- |
- |
|
[GET] /api/install/v1/recipes/{recipeId} |
- |
- |
- |
|
- |
- |
|
|
- |
- |
- |
|
[GET] /api/install/v1/recipes/{recipeId}/signatures |
- |
- |
- |
|
- |
- |
|
|
- |
- |
- |
|
[GET] /api/install/v1/recipes/{recipeId}/signatures/{signatureId}/file |
- |
- |
- |
|
- |
- |
|
|
- |
- |
- |
|
[GET] /api/install/v1/recipes/{recipeId}/signature |
- |
- |
- |
|
- |
- |
|
|
- |
- |
- |
|
[GET] /api/install/v1/recipes/{recipeId}/file |
- |
- |
- |
|
- |
- |
|
|
- |
- |
- |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Install API - System Feedback |
SYSTEM_ADMIN |
TAG_ADMIN |
APPROVE |
TEST_INSTALLER |
BASIC |
UPDATE_COORDINATOR |
install-access |
install-test-access |
management-full-access |
management-advanced-access |
management-basic-access |
|
[POST] /api/install/v1/system-reports |
- |
- |
- |
|
- |
- |
|
|
- |
- |
- |
|
[POST] /api/install/v1/update-reports |
- |
- |
- |
|
- |
- |
|
|
- |
- |
- |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Install API - Artifacts |
SYSTEM_ADMIN |
TAG_ADMIN |
APPROVE |
TEST_INSTALLER |
BASIC |
UPDATE_COORDINATOR |
install-access |
install-test-access |
management-full-access |
management-advanced-access |
management-basic-access |
|
[GET] /api/install/v1/software-artifacts/{artifactId}/file |
- |
- |
- |
|
- |
- |
|
|
- |
- |
- |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Install API - Recipe Tags |
SYSTEM_ADMIN |
TAG_ADMIN |
APPROVE |
TEST_INSTALLER |
BASIC |
UPDATE_COORDINATOR |
install-access |
install-test-access |
management-full-access |
management-advanced-access |
management-basic-access |
|
[GET] /api/install/v1/recipe-tags |
- |
- |
- |
|
- |
- |
|
|
- |
- |
- |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Management API - Systems |
SYSTEM_ADMIN |
TAG_ADMIN |
APPROVE |
TEST_INSTALLER |
BASIC |
UPDATE_COORDINATOR |
install-access |
install-test-access |
management-full-access |
management-advanced-access |
management-basic-access |
|
[GET] /api/mgmt/v1/systems |
- |
- |
- |
- |
|
|
- |
- |
|
|
|
|
[DELETE] /api/mgmt/v1/systems |
- |
- |
- |
- |
- |
|
- |
- |
|
- |
- |
|
[GET] /api/mgmt/v1/systems/{systemId} |
- |
- |
- |
- |
|
|
- |
- |
|
|
|
|
[DELETE] /api/mgmt/v1/systems/{systemId} |
- |
- |
- |
- |
- |
|
- |
- |
|
- |
- |
|
[GET] /api/mgmt/v1/system-actions |
- |
- |
- |
- |
|
|
- |
- |
|
|
|
|
[GET] /api/mgmt/v1/system-actions/{systemActionId} |
- |
- |
- |
- |
|
|
- |
- |
|
|
|
|
[GET] /api/mgmt/v1/system-actions/{systemActionId}/status |
- |
- |
- |
- |
|
|
- |
- |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Management API - Modules |
SYSTEM_ADMIN |
TAG_ADMIN |
APPROVE |
TEST_INSTALLER |
BASIC |
UPDATE_COORDINATOR |
install-access |
install-test-access |
management-full-access |
management-advanced-access |
management-basic-access |
|
[GET] /api/mgmt/v1/modules |
- |
- |
- |
- |
|
|
- |
- |
|
|
|
|
[DELETE] /api/mgmt/v1/modules |
- |
- |
- |
- |
- |
|
- |
- |
|
- |
- |
|
[GET] /api/mgmt/v1/modules/{moduleId} |
- |
- |
- |
- |
|
|
- |
- |
|
|
|
|
[DELETE] /api/mgmt/v1/modules/{moduleId} |
- |
- |
- |
- |
- |
|
- |
- |
|
- |
- |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Management API - Recipe Tags |
SYSTEM_ADMIN |
TAG_ADMIN |
APPROVE |
TEST_INSTALLER |
BASIC |
UPDATE_COORDINATOR |
install-access |
install-test-access |
management-full-access |
management-advanced-access |
management-basic-access |
|
[GET] /api/mgmt/v1/recipe-tags |
- |
|
- |
- |
|
|
- |
- |
|
|
|
|
[POST] /api/mgmt/v1/recipe-tags |
- |
|
- |
- |
- |
- |
- |
- |
|
- |
- |
|
[GET] /api/mgmt/v1/recipe-tags/{id} |
- |
|
- |
- |
|
|
- |
- |
|
|
|
|
[PUT] /api/mgmt/v1/recipe-tags/{recipeTagId} |
- |
|
- |
- |
- |
- |
- |
- |
|
- |
- |
|
[DELETE] /api/mgmt/v1/recipe-tags/{recipeTagId} |
- |
|
- |
- |
- |
- |
- |
- |
|
- |
- |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Management API - Tenant Configuration |
SYSTEM_ADMIN |
TAG_ADMIN |
APPROVE |
TEST_INSTALLER |
BASIC |
UPDATE_COORDINATOR |
install-access |
install-test-access |
management-full-access |
management-advanced-access |
management-basic-access |
|
[GET] /api/mgmt/v1/tenant-config |
|
- |
- |
- |
- |
- |
- |
- |
|
- |
- |
|
[POST] /api/mgmt/v1/tenant-config |
|
- |
- |
- |
- |
- |
- |
- |
|
- |
- |
|
[GET] /api/mgmt/v1/tenant-config/{configKey} |
|
- |
- |
- |
- |
- |
- |
- |
|
- |
- |
|
[POST] /api/mgmt/v1/tenant-config/{configKey} |
|
- |
- |
- |
- |
- |
- |
- |
|
- |
- |
|
|
|||||||||||
|
Management API - Jobs |
SYSTEM_ADMIN |
TAG_ADMIN |
APPROVE |
TEST_INSTALLER |
BASIC |
UPDATE_COORDINATOR |
install-access |
install-test-access |
management-full-access |
management-advanced-access |
management-basic-access |
|
[GET] /api/mgmt/v1/jobs/recipe-match |
- |
- |
|
- |
|
|
- |
- |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Management API - Recipes |
SYSTEM_ADMIN |
TAG_ADMIN |
APPROVE |
TEST_INSTALLER |
BASIC |
UPDATE_COORDINATOR |
install-access |
install-test-access |
management-full-access |
management-advanced-access |
management-basic-access |
|
[GET] /api/mgmt/v1/recipes |
- |
- |
|
- |
|
|
- |
- |
|
|
|
|
[POST] /api/mgmt/v1/recipes |
- |
- |
- |
- |
- |
|
- |
- |
|
|
- |
|
[GET] /api/mgmt/v1/recipes/{recipeId} |
- |
- |
|
- |
|
|
- |
- |
|
|
|
|
[PUT] /api/mgmt/v1/recipes/{recipeId} |
- |
- |
- |
- |
- |
|
- |
- |
|
|
- |
|
[DELETE] /api/mgmt/v1/recipes/{recipeId} |
- |
- |
- |
- |
- |
|
- |
- |
|
- |
- |
|
[POST] /api/mgmt/v1/recipes/{recipeId}/clone |
- |
- |
- |
- |
- |
|
- |
- |
|
|
- |
|
[GET] /api/mgmt/v1/recipes/{recipeId}/metadata |
- |
- |
|
- |
|
|
- |
- |
|
|
|
|
[POST] /api/mgmt/v1/recipes/{recipeId}/metadata |
- |
- |
- |
- |
- |
|
- |
- |
|
|
- |
|
[GET] /api/mgmt/v1/recipes/{recipeId}/file |
- |
- |
|
- |
|
|
- |
- |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Management API - Recipes - Tags |
SYSTEM_ADMIN |
TAG_ADMIN |
APPROVE |
TEST_INSTALLER |
BASIC |
UPDATE_COORDINATOR |
install-access |
install-test-access |
management-full-access |
management-advanced-access |
management-basic-access |
|
[GET] /api/mgmt/v1/recipes/{recipeId}/tags |
- |
- |
|
- |
|
|
- |
- |
|
|
|
|
[POST] /api/mgmt/v1/recipes/{recipeId}/tags |
- |
- |
- |
- |
- |
|
- |
- |
|
|
- |
|
[DELETE] /api/mgmt/v1/recipes/{recipeId}/tags |
- |
- |
- |
- |
- |
|
- |
- |
|
- |
- |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Management API - Recipes - System Distribution Sets |
SYSTEM_ADMIN |
TAG_ADMIN |
APPROVE |
TEST_INSTALLER |
BASIC |
UPDATE_COORDINATOR |
install-access |
install-test-access |
management-full-access |
management-advanced-access |
management-basic-access |
|
[GET] /api/mgmt/v1/recipes/{recipeId}/system-distribution-sets |
- |
- |
|
- |
|
|
- |
- |
|
|
|
|
[POST] /api/mgmt/v1/recipes/{recipeId}/system-distribution-sets |
- |
- |
- |
- |
- |
|
- |
- |
|
|
- |
|
[GET] /api/mgmt/v1/recipes/{recipeId}/system-distribution-sets/{sysDsId} |
- |
- |
|
- |
|
|
- |
- |
|
|
|
|
[PUT] /api/mgmt/v1/recipes/{recipeId}/system-distribution-sets/{sysDsId} |
- |
- |
- |
- |
- |
|
- |
- |
|
|
- |
|
[DELETE] /api/mgmt/v1/recipes/{recipeId}/system-distribution-sets/{sysDsId} |
- |
- |
- |
- |
- |
|
- |
- |
|
- |
- |
|
[GET] /api/mgmt/v1/recipes/{recipeId}/system-distribution-sets/{sysDsId}/metadata |
- |
- |
|
- |
|
|
- |
- |
|
|
|
|
[POST] /api/mgmt/v1/recipes/{recipeId}/system-distribution-sets/{sysDsId}/metadata |
- |
- |
- |
- |
- |
|
- |
- |
|
|
- |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Management API - Recipes - Module Update Definitions |
SYSTEM_ADMIN |
TAG_ADMIN |
APPROVE |
TEST_INSTALLER |
BASIC |
UPDATE_COORDINATOR |
install-access |
install-test-access |
management-full-access |
management-advanced-access |
management-basic-access |
|
[GET] /api/mgmt/v1/recipes/{recipeId}/module-update-definitions |
- |
- |
|
- |
|
|
- |
- |
|
|
|
|
[POST] /api/mgmt/v1/recipes/{recipeId}/module-update-definitions |
- |
- |
- |
- |
- |
|
- |
- |
|
|
- |
|
[GET] /api/mgmt/v1/recipes/{recipeId}/module-update-definitions/{modDefId} |
- |
- |
|
- |
|
|
- |
- |
|
|
|
|
[PUT] /api/mgmt/v1/recipes/{recipeId}/module-update-definitions/{modDefId} |
- |
- |
- |
- |
- |
|
- |
- |
|
|
- |
|
[DELETE] /api/mgmt/v1/recipes/{recipeId}/module-update-definitions/{modDefId} |
- |
- |
- |
- |
- |
|
- |
- |
|
- |
- |
|
[POST] /api/mgmt/v1/recipes/{recipeId}/module-update-definitions/{modDefId}/up |
- |
- |
- |
- |
- |
|
- |
- |
|
|
- |
|
[POST] /api/mgmt/v1/recipes/{recipeId}/module-update-definitions/{modDefId}/down |
- |
- |
- |
- |
- |
|
- |
- |
|
|
- |
|
[GET] /api/mgmt/v1/recipes/{recipeId}/module-update-definitions/{modDefId}/metadata |
- |
- |
|
- |
|
|
- |
- |
|
|
|
|
[POST] /api/mgmt/v1/recipes/{recipeId}/module-update-definitions/{modDefId}/metadata |
- |
- |
- |
- |
- |
|
- |
- |
|
|
- |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Management API - Recipe - Signatures |
SYSTEM_ADMIN |
TAG_ADMIN |
APPROVE |
TEST_INSTALLER |
BASIC |
UPDATE_COORDINATOR |
install-access |
install-test-access |
management-full-access |
management-advanced-access |
management-basic-access |
|
[GET] /api/mgmt/v1/recipes/{recipeId}/signatures |
- |
- |
|
- |
|
|
- |
- |
|
|
|
|
[POST] /api/mgmt/v1/recipes/{recipeId}/signatures |
- |
- |
- |
- |
- |
|
- |
- |
|
|
- |
|
[GET] /api/mgmt/v1/recipes/{recipeId}/signatures/{signatureId} |
- |
- |
|
- |
|
|
- |
- |
|
|
|
|
[DELETE] /api/mgmt/v1/recipes/{recipeId}/signatures/{signatureId} |
- |
- |
- |
- |
- |
|
- |
- |
|
- |
- |
|
[GET] /api/mgmt/v1/recipes/{recipeId}/signatures/{signatureId}/file |
- |
- |
|
- |
|
|
- |
- |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Management API - Recipe - Lifecycle |
SYSTEM_ADMIN |
TAG_ADMIN |
APPROVE |
TEST_INSTALLER |
BASIC |
UPDATE_COORDINATOR |
install-access |
install-test-access |
management-full-access |
management-advanced-access |
management-basic-access |
|
[POST] /api/mgmt/v1/recipes/{recipeId}/revoke |
- |
- |
- |
- |
- |
|
- |
- |
|
- |
- |
|
[POST] /api/mgmt/v1/recipes/{recipeId}/release |
- |
- |
- |
- |
- |
|
- |
- |
|
- |
- |
|
[POST] /api/mgmt/v1/recipes/{recipeId}/promote |
- |
- |
- |
- |
- |
|
- |
- |
|
|
- |
|
[POST] /api/mgmt/v1/recipes/{recipeId}/deny |
- |
- |
|
- |
- |
|
- |
- |
|
- |
- |
|
[POST] /api/mgmt/v1/recipes/{recipeId}/demote |
- |
- |
- |
- |
- |
|
- |
- |
|
|
- |
|
[POST] /api/mgmt/v1/recipes/{recipeId}/deactivate |
- |
- |
- |
- |
- |
|
- |
- |
|
- |
- |
|
[POST] /api/mgmt/v1/recipes/{recipeId}/approve |
- |
- |
|
- |
- |
- |
- |
- |
|
- |
- |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Management API - Recipe - Validation |
SYSTEM_ADMIN |
TAG_ADMIN |
APPROVE |
TEST_INSTALLER |
BASIC |
UPDATE_COORDINATOR |
install-access |
install-test-access |
management-full-access |
management-advanced-access |
management-basic-access |
|
[POST] /api/mgmt/v1/recipes/{recipeId}/validate |
- |
- |
- |
- |
- |
|
- |
- |
|
|
- |
|
[GET] /api/mgmt/v1/recipes/{recipeId}/validation-report |
- |
- |
|
- |
|
|
- |
- |
|
|
|
Example OAuth2 JSON web token
The roles are listed in the ext section of the JWT token under com.bosch.roles. Scopes can be found in the scp section.
{ "aud": [], "client_id": "{client_id}", "exp": 1706666674, "ext": { "com.bosch.roles": [ "IDM2BCD_SOUP_12345678_SYSTEM_ADMIN", "IDM2BCD_SOUP_12345678_TAG_ADMIN", "IDM2BCD_SOUP_12345678_APPROVER", "IDM2BCD_SOUP_12345678_UPDATE_COORDINATOR", "IDM2BCD_XXXXXXXXXXX" ], "email": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", "orig_guid": { "sub": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" }, "orig_id": { "idp_id": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", "iss": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", "sub": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", "username": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" } }, "iat": 1706623474, "iss": "https://access.bosch-iot-rollouts.com", "jti": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", "nbf": 1706623474, "scp": [ "tenant.<tenantid>/soup/management-full-access", "service:iot-rollouts-soup:<tenantid>/install-access", "offline_access" ], "sub": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"}