Device Policies

Device policies are JSON documents that enable you to manage access to the OmniCore data plane. This data plane comprises various operations that let you connect to the OmniCore message broker, exchange MQTT messages, and manage Broadcast permissions and granular access to topics using regex expressions.

Please note that changes made to a policy may not take immediate effect due to OmniCore's policy document caching mechanism. Therefore, you may need to wait a couple of minutes before accessing a resource that has recently been granted access, and a resource may remain accessible for a few minutes even after its access has been revoked.

Available Policies

Name	Details
oc:Connect	Represents the permission to connect to the OmniCore message broker. The oc:Connect permission is checked every time a CONNECT request is sent to the broker. The message broker doesn't allow two clients with the same client ID to stay connected at the same time. After the second client connects, the broker closes the existing connection. Use the oc:Connect permission to ensure only authorized clients using a specific client ID can connect.
oc:PublishState	Represents the permission to publish state to MQTT topic. This permission is checked every time a PUBLISH request is sent to the broker. You can use this to allow clients to publish to specific topic patterns. /registry_id/device_id/state Note: To grant oc:PublishState permission, you must also grant oc:Connect permission.
oc:PublishEvents	Represents the permission to publish events to MQTT topic. This permission is checked every time a PUBLISH request is sent to the broker. /registry_id/device_id/events/* Note: To grant oc:PublishEvents permission, you must also grant oc:Connect permission.
oc:PublishEventsRegex	Represents the regex for subfolders, permission to publish events to MQTT topic. This permission is checked every time a PUBLISH request is sent to the broker. You can use this to allow clients to publish to specific topic patterns. /registry_id/device_id/events/regex
oc:PublishLoopback	Represents the permission to publish to MQTT topic for quick test on OmniCore UI. This permission is checked every time a PUBLISH request is sent to the broker to Loopback topic. /registry_id/device_id/PublishLoopback/ Note: To grant oc:PublishLoopbackpermission, you must also grant oc:Connect permission.
oc:SubscribeCommand	Represents the permission to subscribe to a Commands topic. /registry_id/device_id/commands Note: To grant oc:SubscribeCommands permission, you must also grant oc:Connect permission.
oc:SubscribeCommandRegex	Regex for the commands subfolder /registry_id/device_id/commands/subfolder
oc:SubscribeConfig	Represents the permission to subscribe to a Configuration topic. /registry_id/device_id/configs Note: To grant oc: SubscribeConfiguration permission, you must also grant oc:Connect permission.
oc:SubscribeBroadcast	Represents the permission to subscribe to a Commands topic. /registryid//broadcast
oc:SubscribeBroadcastRegex	Regex for the Broadcast subfolder /registryid//broadcast/subfolder

Name

Details

oc:Connect

Represents the permission to connect to the OmniCore message broker. The oc:Connect permission is checked every time a CONNECT request is sent to the broker. The message broker doesn't allow two clients with the same client ID to stay connected at the same time. After the second client connects, the broker closes the existing connection. Use the oc:Connect permission to ensure only authorized clients using a specific client ID can connect.

oc:PublishState

Represents the permission to publish state to MQTT topic. This permission is checked every time a PUBLISH request is sent to the broker. You can use this to allow clients to publish to specific topic patterns. /registry_id/device_id/state Note: To grant oc:PublishState permission, you must also grant oc:Connect permission.

oc:PublishEvents

Represents the permission to publish events to MQTT topic. This permission is checked every time a PUBLISH request is sent to the broker. /registry_id/device_id/events/* Note: To grant oc:PublishEvents permission, you must also grant oc:Connect permission.

oc:PublishEventsRegex

Represents the regex for subfolders, permission to publish events to MQTT topic. This permission is checked every time a PUBLISH request is sent to the broker. You can use this to allow clients to publish to specific topic patterns. /registry_id/device_id/events/regex

oc:PublishLoopback

Represents the permission to publish to MQTT topic for quick test on OmniCore UI. This permission is checked every time a PUBLISH request is sent to the broker to Loopback topic. /registry_id/device_id/PublishLoopback/ Note: To grant oc:PublishLoopbackpermission, you must also grant oc:Connect permission.

oc:SubscribeCommand

Represents the permission to subscribe to a Commands topic. /registry_id/device_id/commands Note: To grant oc:SubscribeCommands permission, you must also grant oc:Connect permission.

oc:SubscribeCommandRegex

Regex for the commands subfolder /registry_id/device_id/commands/subfolder

oc:SubscribeConfig

Represents the permission to subscribe to a Configuration topic. /registry_id/device_id/configs Note: To grant oc: SubscribeConfiguration permission, you must also grant oc:Connect permission.

oc:SubscribeBroadcast

Represents the permission to subscribe to a Commands topic. /registryid//broadcast

oc:SubscribeBroadcastRegex

Regex for the Broadcast subfolder /registryid//broadcast/subfolder

Sample Policy

policy in json

{
    "Connect": true,
    "PublishState": true,
    "PublishEvents": true,
    "PublishEventsRegex": ".*",
    "PublishLoopback": true,
    "SubscribeCommand": true,
    "SubscribeCommandRegex": ".*",
    "SubscribeBroadcast": true,
    "SubscribeBroadcastRegex": ".*",
    "SubscribeConfig": true
}

Regex for Topic Names

The names of Command Subscriptions, Event Publications, and Broadcast MQTT Topics can be more closely managed using regular expressions. A requirement is that the topic names should consist entirely of alphabetic characters and must be between 3 and 12 characters in length.

Regular Expresson	Details
^[a-zA-Z]{2}$	Match exactly 2 letters
^[a-zA-Z]{4}$	Match exactly 4 letters
^[a-zA-Z]{2,4}$	Match between 2 and 4 letters v
^[a-zA-Z]{5}$	Match exactly 5 letters
^[a-zA-Z]{2,6}$	Match between 2 and 6 letters
^[a-zA-Z]{7}$	Match exactly 7 letters
^[a-zA-Z]{8,12}$	Match between 8 and 12 letters
^[a-zA-Z]{2,12}$	Match between 2 and 12 letters
^[a-zA-Z]{2,6}$	Match between 2 and 6 letters
^[a-zA-Z]{2,9}$	Match between 2 and 9 letters

Regular Expresson

Details

^[a-zA-Z]{2}$

Match exactly 2 letters

^[a-zA-Z]{4}$

Match exactly 4 letters

^[a-zA-Z]{2,4}$

Match between 2 and 4 letters v

^[a-zA-Z]{5}$

Match exactly 5 letters

^[a-zA-Z]{2,6}$

Match between 2 and 6 letters

^[a-zA-Z]{7}$

Match exactly 7 letters

^[a-zA-Z]{8,12}$

Match between 8 and 12 letters

^[a-zA-Z]{2,12}$

Match between 2 and 12 letters

^[a-zA-Z]{2,6}$

Match between 2 and 6 letters

^[a-zA-Z]{2,9}$

Match between 2 and 9 letters

Updating Device Policy

There are two options to update Policy associated with a Device.

OmniCore Portal

In Device page you will find a policy generator. It generates the policy json for the device.

OmniCore API or SDK

You can update policy through api or sdk also.

Last updated 10 months ago

Available Policies​

Sample Policy​

Regex for Topic Names​

Updating Device Policy​

OmniCore Portal​