# How AWS IoT SiteWise works with IAM
Before you use AWS Identity and Access Management (IAM) to manage access to AWS IoT SiteWise, you should understand what IAM features are available to use with AWS IoT SiteWise.
| IAM feature | Supported by AWS IoT SiteWise? |
| --- | --- |
| [Identity-based policies with resource-level permissions](security_iam_service-with-iam-id-based-policies.md) | Yes |
| [Policy actions](security_iam_service-with-iam-id-based-policies.md#security_iam_service-with-iam-id-based-policies-actions) | Yes |
| [Policy resources](security_iam_service-with-iam-id-based-policies.md#security_iam_service-with-iam-id-based-policies-resources) | Yes |
| [Policy condition keys](security_iam_service-with-iam-id-based-policies.md#security_iam_service-with-iam-id-based-policies-conditionkeys) | Yes |
| Resource-based policies | No |
| Access control lists (ACLs) | No |
| [Tags-based authorization (ABAC)](security_iam_service-with-iam-tags.md) | Yes |
| [Temporary credentials](security_iam_service-with-iam-roles.md#security_iam_service-with-iam-roles-tempcreds) | Yes |
| [Forward access sessions (FAS) ](security_iam_service-with-iam-roles.md#security_iam_service-with-iam-principal-permissions) | Yes |
| [Service-linked roles](security_iam_service-with-iam-roles.md#security_iam_service-with-iam-roles-service-linked) | Yes |
| [Service roles](security_iam_service-with-iam-roles.md#security_iam_service-with-iam-roles-service-linked) | Yes |
To get a high-level view of how AWS IoT SiteWise and other AWS services work with IAM, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*.
**Contents**
+ [AWS IoT SiteWise IAM roles](security_iam_service-with-iam-roles.md)
+ [Use temporary credentials with AWS IoT SiteWise](security_iam_service-with-iam-roles.md#security_iam_service-with-iam-roles-tempcreds)
+ [Forward access sessions (FAS) for AWS IoT SiteWise](security_iam_service-with-iam-roles.md#security_iam_service-with-iam-principal-permissions)
+ [Service-linked roles](security_iam_service-with-iam-roles.md#security_iam_service-with-iam-roles-service-linked)
+ [Service roles](security_iam_service-with-iam-roles.md#security_iam_service-with-iam-roles-service)
+ [Choose an IAM role in AWS IoT SiteWise](security_iam_service-with-iam-roles.md#security_iam_service-with-iam-roles-choose)
+ [Authorization based on AWS IoT SiteWise tags](security_iam_service-with-iam-tags.md)
+ [AWS IoT SiteWise identity-based policies](security_iam_service-with-iam-id-based-policies.md)
+ [Policy actions](security_iam_service-with-iam-id-based-policies.md#security_iam_service-with-iam-id-based-policies-actions)
+ [BatchPutAssetPropertyValue authorization](security_iam_service-with-iam-id-based-policies.md#security_iam_service-with-iam-id-based-policies-batchputassetpropertyvalue-action)
+ [Policy resources](security_iam_service-with-iam-id-based-policies.md#security_iam_service-with-iam-id-based-policies-resources)
+ [Policy condition keys](security_iam_service-with-iam-id-based-policies.md#security_iam_service-with-iam-id-based-policies-conditionkeys)
+ [Examples](security_iam_service-with-iam-id-based-policies.md#security_iam_service-with-iam-id-based-policies-examples)
+ [AWS IoT SiteWise identity-based policy examples](security_iam_id-based-policy-examples.md)
+ [Policy best practices](security_iam_id-based-policy-examples.md#security_iam_service-with-iam-policy-best-practices)
+ [Use the AWS IoT SiteWise console](security_iam_id-based-policy-examples.md#security_iam_id-based-policy-examples-console)
+ [Allow users to view their own permissions](security_iam_id-based-policy-examples.md#security_iam_id-based-policy-examples-view-own-permissions)
+ [Allow users to ingest data to assets in one hierarchy](security_iam_id-based-policy-examples.md#security_iam_id-based-policy-examples-ingest-to-one-asset-hierarchy)
+ [View AWS IoT SiteWise assets based on tags](security_iam_id-based-policy-examples.md#security_iam_id-based-policy-examples-view-asset-tags)
+ [Manage access using policies in AWS IoT SiteWise](security_iam_access-manage.md)
+ [Identity-based policies](security_iam_access-manage.md#security_iam_access-manage-id-based-policies)
+ [Resource-based policies](security_iam_access-manage.md#security_iam_access-manage-resource-based-policies)
+ [Access control lists (ACLs)](security_iam_access-manage.md#security_iam_access-manage-acl)
+ [Other policy types](security_iam_access-manage.md#security_iam_access-manage-other-policies)
+ [Multiple policy types](security_iam_access-manage.md#security_iam_access-manage-multiple-policies)
# AWS IoT SiteWise IAM roles
An [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) is an entity within your AWS account that has specific permissions.
## Use temporary credentials with AWS IoT SiteWise
You can use temporary credentials to sign in with federation, assume an IAM role, or to assume a cross-account role. You obtain temporary security credentials by calling AWS STS API operations such as [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) or [GetFederationToken](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html).
AWS IoT SiteWise supports using temporary credentials.
SiteWise Monitor supports federated users to access portals. Portal users authenticate with their IAM Identity Center or IAM credentials.
**Important**
Users or roles must have the `iotsitewise:DescribePortal` permission to sign in to the portal.
When a user signs in to a portal, SiteWise Monitor generates a session policy that provides the following permissions:
+ Read-only access to the assets and asset data in AWS IoT SiteWise in your account to which that portal's role provides access.
+ Access to projects in that portal to which the user has administrator (project owner) or read-only (project viewer) access.
For more information about federated portal user permissions, see [Use service roles for AWS IoT SiteWise Monitor](monitor-service-role.md).
## Forward access sessions (FAS) for AWS IoT SiteWise
**Supports forward access sessions (FAS):** Yes
Forward access sessions (FAS) use the permissions of the principal calling an AWS service, combined with the requesting AWS service to make requests to downstream services. For policy details when making FAS requests, see [Forward access sessions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html).
## Service-linked roles
[Service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts) allow AWS services to access resources in other services to complete an action on your behalf. service-linked roles appear in your AWS account and are owned by the service. An IAM administrator can view but not edit the permissions for service-linked roles.
AWS IoT SiteWise supports service-linked roles. For details about creating or managing AWS IoT SiteWise service-linked roles, see [Use service-linked roles for AWS IoT SiteWise](using-service-linked-roles.md).
## Service roles
This feature allows a service to assume a [service role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts) on your behalf. This role allows the service to access resources in other services to complete an action on your behalf. Service roles appear in your AWS account and are owned by the account. This means that an IAM administrator can change the permissions for this role. However, doing so might break the functionality of the service.
AWS IoT SiteWise uses a service role to allow SiteWise Monitor portal users to access some of your AWS IoT SiteWise resources on your behalf. For more information, see [Use service roles for AWS IoT SiteWise Monitor](monitor-service-role.md).
You must have required permissions before you can create AWS IoT Events alarm models in AWS IoT SiteWise. For more information, see [Set up permissions for event alarms in AWS IoT SiteWise](alarms-iam-permissions.md).
## Choose an IAM role in AWS IoT SiteWise
When you create a `portal` resource in AWS IoT SiteWise, you must choose a role to allow the federated users of your SiteWise Monitor portal to access AWS IoT SiteWise on your behalf. If you have previously created a service role, then AWS IoT SiteWise provides you with a list of roles to choose from. Otherwise, you can create a role with the required permissions when you create a portal. It's important to choose a role that allows access to your assets and asset data. For more information, see [Use service roles for AWS IoT SiteWise Monitor](monitor-service-role.md).
# Authorization based on AWS IoT SiteWise tags
You can attach tags to AWS IoT SiteWise resources or pass tags in a request to AWS IoT SiteWise. To control access based on tags, you provide tag information in the [condition element](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) of a policy using the `aws:ResourceTag/key-name`, `aws:RequestTag/key-name`, or `aws:TagKeys` condition keys. For more information about tagging AWS IoT SiteWise resources, see [Tag your AWS IoT SiteWise resources](tag-resources.md).
To view an example identity-based policy for limiting access to a resource based on the tags on that resource, see [View AWS IoT SiteWise assets based on tags](security_iam_id-based-policy-examples.md#security_iam_id-based-policy-examples-view-asset-tags).
# AWS IoT SiteWise identity-based policies
IAM policies let you control who can do what in AWS IoT SiteWise. You can decide what actions are allowed or not and set specific conditions for these actions. For example, you can make rules about who can see or change information in AWS IoT SiteWise. AWS IoT SiteWise supports specific actions, resources, and condition keys. To learn about all of the elements that you use in a JSON policy, see [IAM JSON policy elements reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide*.
## Policy actions
Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.
The `Action` element of a JSON policy describes the actions that you can use to allow or deny access in a policy. Include actions in a policy to grant permissions to perform the associated operation.
Policy actions in AWS IoT SiteWise use the following prefix before the action: `iotsitewise:`. For example, to grant someone permission to upload asset property data to AWS IoT SiteWise with the `BatchPutAssetPropertyValue` API operation, you include the `iotsitewise:BatchPutAssetPropertyValue` action in their policy. Policy statements must include either an `Action` or `NotAction` element. AWS IoT SiteWise defines its own set of actions that describe tasks that you can perform with this service.
To specify multiple actions in a single statement, separate them with commas as follows.
```
"Action": [
"iotsitewise:action1",
"iotsitewise:action2"
]
```
You can specify multiple actions using wildcards (\$1). For example, to specify all actions that begin with the word `Describe`, include the following action.
```
"Action": "iotsitewise:Describe*"
```
To see a list of AWS IoT SiteWise actions, see [Actions defined by AWS IoT SiteWise](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotsitewise.html#awsiotsitewise-actions-as-permissions) in the *IAM User Guide*.
### BatchPutAssetPropertyValue authorization
AWS IoT SiteWise authorizes access to the [BatchPutAssetPropertyValue](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_BatchPutAssetPropertyValue.html) action in an unusual way. For most actions, when you allow or deny access, that action returns an error if permissions aren't granted. With `BatchPutAssetPropertyValue`, you can send multiple data entries to different assets and asset properties in a single API request. AWS IoT SiteWise authorizes each data entry independently. For any individual entry that fails authorization in the request, AWS IoT SiteWise includes an `AccessDeniedException` in the returned list of errors. AWS IoT SiteWise receives the data for any entry that authorizes and succeeds, even if another entry in the same request fails.
**Important**
Before you ingest data to a data stream, do the following:
Authorize the `time-series` resource if you use a property alias to identify the data stream.
Authorize the `asset` resource if you use an asset ID to identify the asset that contains the associated asset property.
## Policy resources
Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.
The `Resource` JSON policy element specifies the object or objects to which the action applies. As a best practice, specify a resource using its [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html). For actions that don't support resource-level permissions, use a wildcard (\$1) to indicate that the statement applies to all resources.
```
"Resource": "*"
```
Each IAM policy statement applies to the resources that you specify using their ARNs. An ARN has the following general syntax.
```
arn:${Partition}:${Service}:${Region}:${Account}:${ResourceType}/${ResourcePath}
```
For more information about the format of ARNs, see [Identify AWS resources with Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html).
For example, to specify the asset with ID `a1b2c3d4-5678-90ab-cdef-22222EXAMPLE` in your statement, use the following ARN.;
```
"Resource": "arn:aws:iotsitewise:region:123456789012:asset/a1b2c3d4-5678-90ab-cdef-22222EXAMPLE"
```
To specify all data streams that belong to a specific account, use the wildcard (\$1):
```
"Resource": "arn:aws:iotsitewise:region:123456789012:time-series/*"
```
To specify all assets that belong to a specific account, use the wildcard (\$1):
```
"Resource": "arn:aws:iotsitewise:region:123456789012:asset/*"
```
Some AWS IoT SiteWise actions, such as those for creating resources, can't be performed on a specific resource. In those cases, you must use the wildcard (\$1).
```
"Resource": "*"
```
To specify multiple resources in a single statement, separate the ARNs with commas.
```
"Resource": [
"resource1",
"resource2"
]
```
To see a list of AWS IoT SiteWise resource types and their ARNs, see [Resource types defined by AWS IoT SiteWise](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotsitewise.html#awsiotsitewise-resources-for-iam-policies) in the *IAM User Guide*. To learn with which actions you can specify the ARN of each resource, see [Actions defined by AWS IoT SiteWise](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotsitewise.html#awsiotsitewise-actions-as-permissions).
## Policy condition keys
Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.
The `Condition` element specifies when statements execute based on defined criteria. You can create conditional expressions that use [condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html), such as equals or less than, to match the condition in the policy with values in the request. To see all AWS global condition keys, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*.
**Important**
Many condition keys are specific to a resource, and some API actions use multiple resources. If you write a policy statement with a condition key, use the `Resource` element of the statement to specify the resource to which the condition key applies. If you don't do so, the policy might prevent users from performing the action at all, because the condition check fails for the resources to which the condition key doesn't apply. If you don't want to specify a resource, or if you've written the `Action` element of your policy to include multiple API actions, then you must use the `...IfExists` condition type to ensure that the condition key is ignored for resources that don't use it. For more information, see [...IfExists conditions](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Conditions_IfExists) in the *IAM User Guide*.
AWS IoT SiteWise defines its own set of condition keys and also supports using some global condition keys. To see all AWS global condition keys, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*.
**AWS IoT SiteWise condition keys**
| Condition key | Description | Types |
| --- | --- | --- |
| iotsitewise:isAssociatedWithAssetProperty | Whether data streams are associated with an asset property. Use this condition key to define permissions based on the existence of an associated asset property for data streams. Example value: `true` | String |
| iotsitewise:assetHierarchyPath | The asset's hierarchy path, which is a string of asset IDs each separated by a forward slash. Use this condition key to define permissions based on a subset of your hierarchy of all assets in your account. Example value: `/a1b2c3d4-5678-90ab-cdef-22222EXAMPLE/a1b2c3d4-5678-90ab-cdef-66666EXAMPLE` | String |
| iotsitewise:propertyId | The ID of an asset property. Use this condition key to define permissions based on a specified property of an asset model. This condition key applies to all assets of that model. Example value: `a1b2c3d4-5678-90ab-cdef-33333EXAMPLE` | String |
| iotsitewise:childAssetId | The ID of an asset being associated as a child to another asset. Use this condition key to define permissions based on child assets. To define permissions based on parent assets, use the resource section of a policy statement. Example value: `a1b2c3d4-5678-90ab-cdef-66666EXAMPLE` | String |
| iotsitewise:iam | The ARN of an IAM identity when listing access policies. Use this condition key to define access policy permissions for an IAM identity. Example value: `arn:aws:iam::123456789012:user/JohnDoe` | String, Null |
| iotsitewise:propertyAlias | The alias that identifies an asset property or data stream. Use this condition key to define permissions based on the alias. | String |
| iotsitewise:user | The ID of an IAM Identity Center user when listing access policies. Use this condition key to define access policy permissions for an IAM Identity Center user. Example value: `a1b2c3d4e5-a1b2c3d4-5678-90ab-cdef-aaaaaEXAMPLE` | String, Null |
| iotsitewise:group | The ID of an IAM Identity Center group when listing access policies. Use this condition key to define access policy permissions for an IAM Identity Center group. Example value: `a1b2c3d4e5-a1b2c3d4-5678-90ab-cdef-bbbbbEXAMPLE` | String, Null |
| iotsitewise:portal | The ID of a portal in an access policy. Use this condition key to define access policy permissions based on a portal. Example value: `a1b2c3d4-5678-90ab-cdef-77777EXAMPLE` | String, Null |
| iotsitewise:project | The ID of a project in an access policy, or the ID of a project for a dashboard. Use this condition key to define dashboard or access policy permissions based on a project. Example value: `a1b2c3d4-5678-90ab-cdef-88888EXAMPLE` | String, Null |
To learn with which actions and resources you can use a condition key, see [Actions defined by AWS IoT SiteWise](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotsitewise.html#awsiotsitewise-actions-as-permissions).
## Examples
To view examples of AWS IoT SiteWise identity-based policies, see [AWS IoT SiteWise identity-based policy examples](security_iam_id-based-policy-examples.md).
# AWS IoT SiteWise identity-based policy examples
By default, entities (users and roles) don't have permission to create or modify AWS IoT SiteWise resources. They also can't perform tasks using the AWS Management Console, AWS Command Line Interface (AWS CLI), or AWS API. To adjust permissions, an AWS Identity and Access Management (IAM) administrator must do the following:
1. Create IAM policies that grant users and roles permission to perform specific API operations on resources they need.
1. Attach those policies to the users or groups that require those permissions.
To learn how to create an IAM identity-based policy using these example JSON policy documents, see [Creating policies on the JSON tab](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-json-editor) in the *IAM User Guide*.
**Topics**
+ [Policy best practices](#security_iam_service-with-iam-policy-best-practices)
+ [Use the AWS IoT SiteWise console](#security_iam_id-based-policy-examples-console)
+ [Allow users to view their own permissions](#security_iam_id-based-policy-examples-view-own-permissions)
+ [Allow users to ingest data to assets in one hierarchy](#security_iam_id-based-policy-examples-ingest-to-one-asset-hierarchy)
+ [View AWS IoT SiteWise assets based on tags](#security_iam_id-based-policy-examples-view-asset-tags)
## Policy best practices
Identity-based policies determine whether someone can create, access, or delete AWS IoT SiteWise resources in your account. These actions can incur costs for your AWS account. When you create or edit identity-based policies, follow these guidelines and recommendations:
+ **Get started with AWS managed policies and move toward least-privilege permissions** – To get started granting permissions to your users and workloads, use the *AWS managed policies* that grant permissions for many common use cases. They are available in your AWS account. We recommend that you reduce permissions further by defining AWS customer managed policies that are specific to your use cases. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) or [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*.
+ **Apply least-privilege permissions** – When you set permissions with IAM policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as *least-privilege permissions*. For more information about using IAM to apply permissions, see [ Policies and permissions in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide*.
+ **Use conditions in IAM policies to further restrict access** – You can add a condition to your policies to limit access to actions and resources. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions if they are used through a specific AWS service, such as CloudFormation. For more information, see [ IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*.
+ **Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions** – IAM Access Analyzer validates new and existing policies so that the policies adhere to the IAM policy language (JSON) and IAM best practices. IAM Access Analyzer provides more than 100 policy checks and actionable recommendations to help you author secure and functional policies. For more information, see [Validate policies with IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html) in the *IAM User Guide*.
+ **Require multi-factor authentication (MFA)** – If you have a scenario that requires IAM users or a root user in your AWS account, turn on MFA for additional security. To require MFA when API operations are called, add MFA conditions to your policies. For more information, see [ Secure API access with MFA](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html) in the *IAM User Guide*.
For more information about best practices in IAM, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*.
## Use the AWS IoT SiteWise console
To access the AWS IoT SiteWise console, you need a basic set of permissions. These permissions let you see and manage details about the AWS IoT SiteWise resources in your AWS account.
If you make a policy that's too restrictive, the console might not work as expected for users or roles (entities) with that policy. To ensure that those entities can still use the AWS IoT SiteWise console, attach the [AWSIoTSiteWiseConsoleFullAccess](https://console.aws.amazon.com/iam/home#/policies/policies/arn:aws:iam::aws:policy/AWSIoTSiteWiseConsoleFullAccess) managed policy to them or define equivalent permissions for those entities. For more information, see [Adding permissions to a user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.
If entities are only using the AWS Command Line Interface (CLI) or the AWS IoT SiteWise API, and not the console, they don't need these minimum permissions. In that case, just give them access to the specific actions they need for their API tasks.
## Allow users to view their own permissions
This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the AWS CLI or AWS API.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ViewOwnUserInfo",
"Effect": "Allow",
"Action": [
"iam:GetUserPolicy",
"iam:ListGroupsForUser",
"iam:ListAttachedUserPolicies",
"iam:ListUserPolicies",
"iam:GetUser"
],
"Resource": ["arn:aws:iam::*:user/${aws:username}"]
},
{
"Sid": "NavigateInConsole",
"Effect": "Allow",
"Action": [
"iam:GetGroupPolicy",
"iam:GetPolicyVersion",
"iam:GetPolicy",
"iam:ListAttachedGroupPolicies",
"iam:ListGroupPolicies",
"iam:ListPolicyVersions",
"iam:ListPolicies",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
```
## Allow users to ingest data to assets in one hierarchy
In this example, you want to grant a user in your AWS account access to write data to all asset properties in a specific hierarchy of assets, starting from the root asset `a1b2c3d4-5678-90ab-cdef-22222EXAMPLE`. The policy grants the `iotsitewise:BatchPutAssetPropertyValue` permission to the user. This policy uses the `iotsitewise:assetHierarchyPath` condition key to restrict access to assets whose hierarchy path matches the asset or its descendants.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "PutAssetPropertyValuesForHierarchy",
"Effect": "Allow",
"Action": "iotsitewise:BatchPutAssetPropertyValue",
"Resource": "arn:aws:iotsitewise:*:*:asset/*",
"Condition": {
"StringLike": {
"iotsitewise:assetHierarchyPath": [
"/a1b2c3d4-5678-90ab-cdef-22222EXAMPLE",
"/a1b2c3d4-5678-90ab-cdef-22222EXAMPLE/*"
]
}
}
}
]
}
```
------
## View AWS IoT SiteWise assets based on tags
Use conditions in your identity-based policy to control access to AWS IoT SiteWise resources based on tags. This example shows how to create a policy that allows asset viewing. However, permission is granted only if the asset tag `Owner` has the value of that user's user name. This policy also grants permission to complete this action on the console.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ListAllAssets",
"Effect": "Allow",
"Action": [
"iotsitewise:ListAssets",
"iotsitewise:ListAssociatedAssets"
],
"Resource": "*"
},
{
"Sid": "DescribeAssetIfOwner",
"Effect": "Allow",
"Action": "iotsitewise:DescribeAsset",
"Resource": "arn:aws:iotsitewise:*:*:asset/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Owner": "${aws:username}"
}
}
}
]
}
```
------
Attach this policy to the users in your account. If a user named `richard-roe` attempts to view an AWS IoT SiteWise asset, the asset must be tagged `Owner=richard-roe` or `owner=richard-roe`. Otherwise, Richard is denied access. The condition tag key names are not case-sensitive. So, `Owner` matches both `Owner` and `owner`. For more information, see [IAM JSON Policy Elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*.
# Manage access using policies in AWS IoT SiteWise
You control access in AWS by creating policies and attaching them to AWS identities or resources. A policy defines permissions when associated with an identity or resource. AWS evaluates these policies when a principal makes a request. Most policies are stored in AWS as JSON documents. For more information about JSON policy documents, see [Overview of JSON policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json) in the *IAM User Guide*.
Using policies, administrators specify who has access to what by defining which **principal** can perform **actions** on what **resources**, and under what **conditions**.
By default, users and roles have no permissions. An IAM administrator creates IAM policies and adds them to roles, which users can then assume. IAM policies define permissions regardless of the method used to perform the operation.
## Identity-based policies
Identity-based policies are JSON permissions policy documents that you attach to an identity (user, group, or role). These policies control what actions identities can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*.
Identity-based policies can be *inline policies* (embedded directly into a single identity) or *managed policies* (standalone policies attached to multiple identities). To learn how to choose between managed and inline policies, see [Choose between managed policies and inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-choosing-managed-or-inline.html) in the *IAM User Guide*.
## Resource-based policies
Resource-based policies are JSON policy documents that you attach to a resource. Examples include IAM *role trust policies* and Amazon S3 *bucket policies*. In services that support resource-based policies, service administrators can use them to control access to a specific resource. You must [specify a principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in a resource-based policy.
Resource-based policies are inline policies that are located in that service. You can't use AWS managed policies from IAM in a resource-based policy.
## Access control lists (ACLs)
Access control lists (ACLs) control which principals (account members, users, or roles) have permissions to access a resource. ACLs are similar to resource-based policies, although they do not use the JSON policy document format.
Amazon S3, AWS WAF, and Amazon VPC are examples of services that support ACLs. To learn more about ACLs, see [Access control list (ACL) overview](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html) in the *Amazon Simple Storage Service Developer Guide*.
## Other policy types
AWS supports additional policy types that can set the maximum permissions granted by more common policy types:
+ **Permissions boundaries** – Set the maximum permissions that an identity-based policy can grant to an IAM entity. For more information, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.
+ **Service control policies (SCPs)** – Specify the maximum permissions for an organization or organizational unit in AWS Organizations. For more information, see [Service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the *AWS Organizations User Guide*.
+ **Resource control policies (RCPs)** – Set the maximum available permissions for resources in your accounts. For more information, see [Resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html) in the *AWS Organizations User Guide*.
+ **Session policies** – Advanced policies passed as a parameter when creating a temporary session for a role or federated user. For more information, see [Session policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) in the *IAM User Guide*.
## Multiple policy types
When multiple types of policies apply to a request, the resulting permissions are more complicated to understand. To learn how AWS determines whether to allow a request when multiple policy types are involved, see [Policy evaluation logic](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html) in the *IAM User Guide*.