I have a use case where a 3rd party would like a REST API to issue requests to a device (e.g. light on for 1 hour, light off), but they would not have access to device management (upgrades, reset, logs, RPC, etc).
Is there a way to do that with Golioth? The examples I have seen so far seem to provide the entire management API.
Thanks,
Eric
Hi @EricNRS, great question! Our Enterprise Tier allows for admins to create fine-grained policies for user / machine access. However, this is intended for use-cases where the user is added as a member of a project / organization (or the API key is created in the project) and permissions are assigned to them. Does that fit your use case, or are you interested in an authentication layer for these third-party users where they are not directly added to the project / organization in question?
That sounds like it may work. The 3rd party is a single trusted partner that manages thousands of devices, so giving them an API key with fine-grained control is fine. I just need to make sure they can’t access device reset, firmware updates, etc.
The other option is that we have our devices connect to the 3rd party’s server in parallel with Golioth, but that is double the security footprint and overhead on the IoT device side.
@EricNRS thanks for that context. It sounds like fine-grained permissions on an API key could make sense here. Could you reach out via the Let's Chat link on the pricing page so that we can ensure we have your use case accommodated?