In this article

Access Control List

Overview

Access control lists are the data structure used to administer resource-based authorization. Subscription type permissions endpoints are used to post, update, and delete access control list objects, and thus, grant and revoke access permission to users, devices, applications, and organizations.

Access Control Lists

An access control list has the following form:

{
    "id": "ID_OF_RESOURCE_TO_AUTH",
    "accesscontrolitems": {
        "sub:dev:DEvICE_ID": "PERMISSION",
        "sub:user:USER_ID": "PERMISSION",
        "sub:app:APPLICATION_ID": "PERMISSION",
        "org:ORG_ID": "PERMISSION"
    }
}

Permissions

In the case of Subscription service, ID_OF_RESOURCE_TO_AUTH would be the subscription type id. The remaining ID fields in the example are the principal ids assigned by the identity management system. PERMISSION is one of the following:

owner: Currently given to the type’s subscriber
admin: Currently given to the creator of the type, if the creator is not the subscriber
readwrite: Can update the type object
readonly: Can only read the type object

Principals

A principal is denoted by PRINCIPAL_TYPE:PRINCIPAL_ID. Principal type is one of the following:

sub:user: Principal is a user
sub:dev: Principal is a device
sub:app: Principal is an application
org: Principal is an organization
group:ORGID: Principal is a group in organization denoted by ORGID

When a new subscription type object is registered, a new access control list is automatically created with the type subscriber assigned owner permissions and the requestor, if different than the subscriber, assigned admin permissions.