ditto icon indicating copy to clipboard operation
ditto copied to clipboard

Published 20 hours ago verified publisher icon eclipse-ditto

Apply dynamic conditions on thing state when enforcing policies

Open thjaeckle opened this issue 1 year ago • 0 comments

There are use cases where it would be useful to apply a policy based on the current state of a thing.

An example:
Only grant certain permissions based on whether a thing is currently "claimed" by a user. Or only after the device was manufactured but has not yet been connected for the first time.

Or think about use cases where devices are only rented. A condition shall enable the one who manages the rental devices to have special permissions when the device is currently not rented by a user. That could be reflected with an attribute in thing level, used in a dynamic policy condition.

These kind of dynamic conditions can be defined with RQL and are evaluated when accessing eg the thing. The search Index is not affected by dynamic policies.

Example syntax of a policy entry:

{
  "subjects" :..., 
  "resources": {
    "thing:/" : {
      "grant": ["READ"], 
      "revoke": [], 
      "condition": "and(eq(attributes/vacant,true),eq(attributes/buildingId,'foo'))" 
    } 
  } 
}

thjaeckle avatar May 17 '23 06:05 thjaeckle