This document describes how to grant sub-accounts the product-/device-level access control permissions.
{
"version": "2.0",
"statement": [
{
"action": [
"iotcloud:CreateProduct"
],
"resource": "*",
"effect": "deny"
},
{
"action": [
"iotcloud:*"
],
"resource": "*",
"effect": "allow",
"condition": {
"string_equal_if_exist": {
"product": [
"${productID1}",
"${productID2}",
"${productID3}"
]
}
}
}
]
}
action
. For example, writing iotcloud::DeleteDevice
there prohibits the deletion of devices by the sub-account.{
"action": [
"iotcloud:CreateProduct"
],
"resource": "*",
"effect": "deny"
}
${productID\*}
with the productID
of the product in IoT Hub for authorization).{
"action": [
"iotcloud:*"
],
"resource": "*",
"effect": "allow",
"condition": {
"string_equal_if_exist": {
"product": [
"${productID1}",
"${productID2}",
"${productID3}"
]
}
}
}
At this point, you can get the basic product information in the IoT Hub console.Note: you can enter multiple tags for one single device, and the tag keys and values can be duplicate if they are on different devices. You can select multiple tag keys and values when selecting resources. You can also select a group of tag keys and values to assign resources. Such a group can assign one or multiple device resources to a sub-account.
Here, the policy name and policy information can be modified. After confirming that everything is correct, click Done to create and associate the policy.
6. Due to the limit in the IoT Hub console, after device resources are assigned to a sub-user, the sub-user can enter the device information page and view authorized device resources only after getting the product and device list information. Therefore, you also need to authorize the product and device lists by creating a policy by policy syntax. The authorization code is as follows:
{
"version": "2.0",
"statement": [
{
"action": [
"iotcloud:DescribeProducts",
"iotcloud:DescribeDevices"
],
"resource": "qcs::iotcloud:::ProductId/*",
"effect": "allow"
}
]
}
Was this page helpful?