In this article

Access Control List

Overview

Access control lists are the data structure used to administer resource-based authorization. Subscription connection permissions endpoints are used to post, update, and delete access control list objects, and thus, grant and revoke access permission to users, devices, applications, and organizations.

Access Control Lists

An access control list has the following form:

{
    "id": "ID_OF_RESOURCE_TO_AUTH",
    "accesscontrolitems": {
        "sub:dev:DEvICE_ID": "PERMISSION",
        "sub:user:USER_ID": "PERMISSION",
        "sub:app:APPLICATION_ID": "PERMISSION",
        "org:ORG_ID": "PERMISSION"
    }
}

Permissions

In the case of Subscription service, ID_OF_RESOURCE_TO_AUTH would be the subscription connection id. The remaining ID fields in the example are the principal ids assigned by the identity management system. PERMISSION is one of the following:

owner: Currently given to the connection’s subscriber
admin: Currently given to the creator of the connection, if the creator is not the subscriber
readwrite: Can update the connection object
readonly: Can only read the connection object

Principals

A principal is denoted by PRINCIPAL_TYPE:PRINCIPAL_ID. Principal type is one of the following:

sub:user: Principal is a user
sub:dev: Principal is a device
sub:app: Principal is an application
org: Principal is an organization
group:ORGID: Principal is a group in organization denoted by ORGID

When a new subscription connection object is registered, a new access control list is automatically created with the connection subscriber assigned owner permissions and the requestor, if different than the subscriber, assigned admin permissions.