Updated on 2024-11-06 GMT+08:00

Create a Device Policy

Function

This API is used by an application to create a policy on the IoT platform. The policy takes effect only after being bound to a device or product.

  • A maximum of 50 device policies can be created for an instance.

  • This API is supported only by standard and enterprise editions.

Debugging

You can debug this API through automatic authentication in API Explorer or use the SDK sample code generated by API Explorer.

URI

POST /v5/iot/{project_id}/device-policies

Table 1 Path Parameters

Parameter

Mandatory

Type

Description

project_id

Yes

String

Parameter description: project ID. For details about how to obtain the project ID, see Obtaining a Project ID.

Request Parameters

Table 2 Request header parameters

Parameter

Mandatory

Type

Description

X-Auth-Token

No

String

Parameter description: user token. Obtain the token by calling the IAM API for obtaining a user token through password authentication. In the returned response header, X-Subject-Token is the desired user token. For details about how to obtain the token, see Token Authentication.

Instance-Id

No

String

Parameter description: instance ID. Unique identifier of each instance in the physical multi-tenant scenario. Mandatory for professional editions and recommended in other cases. Log in to the IoTDA console and choose Overview in the navigation pane to view the instance ID. For details, see Viewing Instance Details.

Table 3 Request body parameters

Parameter

Mandatory

Type

Description

policy_name

Yes

String

Parameter description: policy name. Value: The value can contain a maximum of 128 characters. Only letters, digits, underscores (_), and hyphens (-) are allowed.

app_id

No

String

Parameter description: resource space ID. This parameter is optional. If you have multiple resource spaces, you can use this parameter to specify the resource space to which the device to create will belong. If this parameter is not specified, the device to create will belong to the default resource space. Value: The value can contain a maximum of 36 characters. Only letters, digits, underscores (_), and hyphens (-) are allowed.

statement

Yes

Array of Statement objects

Parameter description: policy document.

Table 4 Statement

Parameter

Mandatory

Type

Description

effect

Yes

String

Specifies whether to allow or reject the operation. If there are both ALLOW and DENY statements, the DENY statement takes precedence.

  • ALLOW

  • DENY

actions

Yes

Array of strings

Specifies the operation allowed or denied by the policy. Format: Service name:Resource:Operation. Options:

  • iotda:devices:publish: The device uses MQTT to publish messages.

  • iotda:devices:subscribe: The device uses MQTT to subscribe to messages.

resources

Yes

Array of strings

Specifies the resource on which the operation is allowed or rejected. Format: Resource type:Resource name. For example, the resource subscribed by the device is topic:/v1/${devices.deviceId}/test/hello.

Value: Length of the resource list: 1 to 10. Only letters, digits, and special characters (/{}$=+#?*:._-) are allowed.

Response Parameters

Status code: 201

Table 5 Response body parameters

Parameter

Type

Description

app_id

String

Parameter description: resource space ID.

policy_id

String

Policy ID.

policy_name

String

Policy name.

statement

Array of Statement objects

Policy documents.

create_time

String

Time when the policy was created on the IoT platform. The value is in the format of yyyyMMdd'T'HHmmss'Z', for example, 20151212T121212Z.

update_time

String

Time when the policy was updated on the IoT platform. The value is in the format of yyyyMMdd'T'HHmmss'Z', for example, 20151212T121212Z.

Table 6 Statement

Parameter

Type

Description

effect

String

Specifies whether to allow or reject the operation. If there are both ALLOW and DENY statements, the DENY statement takes precedence.

  • ALLOW

  • DENY

actions

Array of strings

Specifies the operation allowed or denied by the policy. Format: Service name:Resource:Operation. Options:

  • iotda:devices:publish: The device uses MQTT to publish messages.

  • iotda:devices:subscribe: The device uses MQTT to subscribe to messages.

resources

Array of strings

Specifies the resource on which the operation is allowed or rejected. Format: Resource type:Resource name. For example, the resource subscribed by the device is topic:/v1/${devices.deviceId}/test/hello.

Value: Length of the resource list: 1 to 10. Only letters, digits, and special characters (/{}$=+#?*:._-) are allowed.

Example Requests

  • Creates a device policy, allowing devices to subscribe to and publish messages through specified topics.

    POST https://{endpoint}/v5/iot/{project_id}/device-policies
    
    {
      "policy_name" : "myPolicyAllow",
      "app_id" : "jeQDJQZltU8iKgFFoW060F5SGZka",
      "statement" : [ {
        "effect" : "ALLOW",
        "actions" : [ "iotda:devices:publish\riotda:devices:subscribe" ],
        "resources" : [ "topic:/v1/${devices.deviceId}/test/allow" ]
      } ]
    }
  • Creates a device policy, forbidding devices to subscribe to and publish messages through specified topics.

    POST https://{endpoint}/v5/iot/{project_id}/device-policies
    
    {
      "policy_name" : "myPolicyDeny",
      "app_id" : "jeQDJQZltU8iKgFFoW060F5SGZka",
      "statement" : [ {
        "effect" : "DENY",
        "actions" : [ "iotda:devices:publish\riotda:devices:subscribe" ],
        "resources" : [ "topic:/v1/${devices.deviceId}/test/deny" ]
      } ]
    }

Example Responses

Status code: 201

Created

{
  "app_id" : "jeQDJQZltU8iKgFFoW060F5SGZka",
  "policy_id" : "5c90fa7d3c4e4405e8525079",
  "policy_name" : "testPolicy",
  "statement" : [ {
    "effect" : "ALLOW",
    "actions" : [ "iotda:devices:publish", "iotda:devices:subscribe" ],
    "resources" : [ "topic:/v1/${devices.deviceId}/test/hello", "topic:/v1/${devices.productId}/test/hello" ]
  } ],
  "create_time" : "20230810T070547Z",
  "update_time" : "20230810T070547Z"
}

Status Codes

Status Code

Description

201

Created

400

Bad Request

401

Unauthorized

403

Forbidden

500

Internal Server Error

Error Codes

See Error Codes.