Scope Catalog
UTMOS uses Casbin tenant-domain authorization. In this documentation, a “scope” maps to a Casbinobject:action pair, not to the legacy string-scope model.
Open Platform Permissions
| Permission | Grants | Endpoint |
|---|---|---|
open:command:create | Accept cloud-to-device commands | POST /api/v1/open/downlink/commands |
open:command:read | Query accepted commands | GET /api/v1/open/downlink/commands/{command_id} |
open:object:create | Issue upload or download presigned URLs for tenant-authorized objects | POST /api/v1/open/objects/presign |
open:object-config:create | Create tenant object credentials or resource policies | POST /api/v1/open/objects/credentials, POST /api/v1/open/objects/resources |
open:object-config:read | Read tenant object storage configuration | GET /api/v1/open/objects/credentials, GET /api/v1/open/objects/resources |
open:object-config:update | Update or rotate tenant object storage configuration | PUT /api/v1/open/objects/credentials/{credential_id}, PUT /api/v1/open/objects/resources/{resource_id} |
open:callback:create | Create callback endpoints or subscriptions | POST /api/v1/open/callbacks/endpoints, POST /api/v1/open/callbacks/endpoints/{endpoint_id}/subscriptions |
open:callback:read | Read callback endpoints or subscriptions | GET /api/v1/open/callbacks/endpoints |
open:callback:update | Update or rotate callback endpoints | PUT /api/v1/open/callbacks/endpoints/{endpoint_id} |
open:callback:disable | Delete callback subscriptions | DELETE /api/v1/open/callbacks/endpoints/{endpoint_id}/subscriptions/{subscription_id} |
open:device-request:read | Read device-to-cloud requests | GET /api/v1/open/device-requests, GET /api/v1/open/device-requests/{request_id} |
open:device-request:create | Reply to device-to-cloud requests | POST /api/v1/open/device-requests/{request_id}/reply |
Suggested Roles
| Role | Use case | Common permissions |
|---|---|---|
tenant_admin | Tenant administrator | Manage tenant credentials, ACL, object storage, callbacks, and NATS configuration |
integration_operator | Business system integration | open:command:create, open:command:read, open:object:create, open:device-request:read |
integration_reader | Read-only integration | Query commands and device requests without creating commands |
Authorization Model
Tenant, identity, scope, and business facts are connected as follows:| Concept | Source | Responsibility |
|---|---|---|
| Tenant | authenticated credential binding | data isolation boundary |
| Credential | X-Api-Id | caller identity |
| Role Binding | Casbin g policy | binds client_id to a role inside a tenant domain |
| Scope | Casbin object:action | describes what the caller may do in the tenant |
| Business Ownership | command/object/callback facts | persists business ownership |
open:object-config; callback configuration uses open:callback.
tenant_id must come from the authenticated credential binding. It cannot be declared or overridden by the request body. Later query, callback, adapter execution, and object access flows must use the tenant_id stored in business facts as the boundary; command_id, resource_id, or other global identifiers are not sufficient authorization context.
On Authorization Failures
Calling an endpoint without permission returns:- Confirm
X-Api-Idis the expected client credential. - Confirm the credential is bound to the correct
tenant_id. - Confirm the
client_idhas the required Casbin policy or role binding in the tenant domain.