Bosch IoT Insights

Authentication and authorization

Bosch IoT Insights provides a highly secure data storage. Access to this data storage is controlled as follows.

All communication is secured through HTTPS and encrypted through TLS 1.2 by default. Unencrypted communication is not allowed.

Authentication

The Basic Authentication method is used to authenticate users with a username and password.

All public requests are checked in the API gateway which the user is authenticated to. The authentication is token-based. The API gateway checks and sets the relevant headers.

When accessing Bosch IoT Insights for the first time, users are redirected to a Customer Identity and Access Management (CIAM) endpoint. The CIAM endpoint redirects to the gateway's CIAM callback URL with the login status of the user.

When the user is logged in, the authentication code is used to obtain an authentication token from CIAM. The User ID is extracted from the authentication token and checked in the Bosch CIAM User Hub. The Bosch CIAM User Hub is used to find all applications and projects the user is assigned to. The authentication token is used to get an authorization token (XSRF-TOKEN) from the Bosch CIAM User Hub for all assigned applications and projects. The authorization token is then used to generate a long-lasting agent credential. The authorization token is stored as a cookie.

In some cases, the authorization token is very large. As a result, it might not be possible to store it as a web browser cookie. Therefore, it is recommended to only send a referencing Session ID to the user, which reduces the payload. The API Gateway always replaces the Session ID with the authorization token, which checks authentication and authorization if a back-end service is called.

Authorization

The authorization in Bosch IoT Insights is based on roles and corresponding permissions. The available permissions are predefined. Each role can assign a set of permissions to a user. Hence, roles and permissions grant access to different functions of Bosch IoT Insights. Automated integration tests are executed to prevent unauthorized operations.

Admins can change the role definitions. However, the admin role is fixed. Admin permissions cannot be changed.

Bosch IoT Insights provides the following five user roles. The user who subscribed to the Bosch IoT Insights service instance is assigned the admin role by default.

Role

Description

Permissions

Inherited roles

Admin

Main administrator of a specific project

  • Full access to all project features

  • Define processing pipelines

  • Define retention times

  • Access to all logs and access protocols

  • Delete input data and processed data

  • Manager

  • Power User

  • User

  • Data Provider

Manager

Business administrator of a specific project

  • View database statistics

  • Invite users to the project

  • Access to user management

  • Change project settings

  • Manage the Master Data History

  • Add, edit, and delete devices in Master Data Management

  • Adding, editing, and deleting existing views

  • Power User

  • User

  • Data Provider

Power User

User of a specific project with advanced features

  • Access to the Data Analyzer

  • Write queries within the Template Designer

  • Access to the Decoder Service

  • View processing pipelines

  • Change existing devices in Master Data Management

  • Edit existing views

  • User

User

User of a specific project

  • Access project data

  • Access to the Data Browser and the Data Explorer

  • View custom project views


Data Provider

(Mostly technical) user of a specific project

  • Provide/send input data to the project