Device Role Assignment
When you create a device, it only has limited roles to read its own details. You need to assign roles to allow the device to perform additional operations using its token.
The following section shows how to assign roles to devices:
What you can do
- Assign a role to a device
- Remove a role from a device
- List all roles assigned to a device
Before you start, make sure:
- The device exists
- The device is associated to the account or group on which you want to assign the role
- You have permission to assign roles
- The role you want to assign exists
API Endpoints
Assign a role to a device
You can assign roles to devices on account and group using the POST roles API spec
Parameters:
-
deviceId - ID of your device
-
roleId - ID of the role you want to assign
-
entityTrn - Account or group on which you want to assign the role to the device. If ‘on’ is not provided, it defaults to caller’s account
Example Request:
curl -X POST \ "{BaseUrl}/devices/{deviceId}/roles/{roleId}?on={entityTrn}" \ -H "Authorization: Bearer {token}"Success Response (201):
{ "id": "device-uuid", "trn": "trn:2:iam:<region>:device:<device_id>", "metadata": { "createdBy": "trn:2:iam:us:user/application/device:00000000-0000-0000-0000-000000000000", "createdAt": "2024-07-29T00:00:00.000Z", "updatedBy": "trn:2:iam:us:user/application/device:00000000-0000-0000-0000-000000000000", "updatedAt": "2024-07-29T00:00:00.000Z" }}Remove Role from Device
Removes a role assigned to device using the DELETE roles API spec
The on parameter is optional - if not provided, it defaults to the caller’s account.
Example Request:
curl -X DELETE \ "{BaseUrl}/devices/{deviceId}/roles/{roleId}?on={entityTrn}" \ -H "Authorization: Bearer {token}"Success Response (204): No content
List Device Roles
List all roles assigned to a device, with optional filtering using the GET roles API spec
Parameters:
-
deviceId - ID of your device
-
on - Account or group on which to list the device’s roles. If ‘on’ is not provided, it defaults to caller’s account
-
scopedToApplicationId - Filter by application. If not provided, it defaults to caller’s application
Example Request:
curl -X GET \ "{BaseUrl}/devices/{deviceId}/roles?on={entityTrn}&scopedToApplicationId={applicationId}" \ -H "Authorization: Bearer {token}"Success Response (200):
[ { "id": "uuid", "name": "string", "permissionList": [ { "id": "uuid", "trn": "string", "action": "string", "resource": "string", "description": "string" } ] }]Authorization
Roles can be assigned to device by an application, user or device.
Requirements
- Caller must be authorized to assign roles on the target entity
- Role assignment depends on role ownership:
- Subject-owned roles (see Role Management): If caller’s application owns the role, it can be assigned directly
- Shared roles (see Role Sharing): If caller’s application doesn’t own the role, the role must be shared through a common group between the role owner and caller’s application