Device access control list

2 minutes read
Edit on GitHub

Defines who can access to the device per resource. The access control list is stored in the device in the /oic/sec/acl2 resource. The access control list is a list of access control entries. Each access control entry defines a subject and a set of permissions for the subject. The subject can be a connection type, a device, or a role. The permissions define what the subject can do with the resource. The permissions are defined in the permission property of the access control entry. The permissions are defined as a bit mask. The following table shows the permissions that can be defined in the permission property.

Create1Create the resource
Read2Read the resource
Write4Write the resource
Delete8Delete the resource
Notify16Notify the resource

IoTivite lite maps permission Create, Delete to Write permission and Notify is mapped to Read permission.

When resources where the subject has access you can use wildcards */+/- in the wildcard property of the access control resource entry.

*Shall match all Non-Configuration Resources
+Shall match all Discoverable Non-Configuration Resources which expose at least one Secure OCF Endpoint.
-Shall match all Non-Discoverable Non-Configuration Resources which expose at least one Secure OCF Endpoint.

For device configuration resources you need to specify href property in the access control resource entry.

The list of device configuration resources:

Device configurationoic.wk.con/oc/conTo change device name
Device maintenance resourceoic.wk.mnt/oic/mntFor factory reset
Device cloud resourceoic.r.coapcloudconf/CoapCloudConfResURITo setup cloud
Device firmware update resourceoic.r.softwareupdate/oc/swuTo update device firmware
Device secure resources/oic/sec/*To update device secure resources in provision state

For IoTivity, href is used to match the ACL.

When device is in read for ownership transfer method (RFOTM) state, only device configuration resources and OCF public resources are accessible. ACL is applied only in normal device state. To allow access to the resources in RFOTM state you need to have enabled the feature in IoTivity lite via cmake -DOC_RESOURCE_ACCESS_IN_RFOTM_ENABLED=ON ... when building IoTivity lite and mark each resource via function oc_resource_set_access_in_RFOTM. The default value is OFF.

To update ACL device need to be in provisioning state. To change device state is described in here.

The update of ACL is done via POST method on the /oic/sec/acl2 resource with body:

  "aclist2": [
      "permission": 31, // full access
      "resources": [
          "wc": "*", // all resources
          "if": [ "*" ] // all interfaces
      "subject": { // type of subject is defined by body content
        "uuid": "00000000-0000-0000-0000-000000000000" // device id

More information about the ACL can be found here in section 12.

Dec 20, 2022

Get started

plgd makes it simpler to build a successful IoT initiative – to create a proof of concept, evaluate, optimize, and scale.

Get Started Illustration Get Started Illustration