Has something changed concerning smartapp and permissions

I have a smartapp that subscribes to device events and potentially sends commands to a different device.

I used to have read permissions, and it worked. Today, it was giving me 403 messages. I then spent a couple of happy hours struggling with assuming that there was a hierarchy of permissions ie Write would include read and execute. This doesnt seem to be the case. I finally fixed it by requesting Read, Write and Execute when I construct the app,

Is this correct behaviour of smartapps and permissions?

Also, what is the correct form of supplying permissions in the constructor? I use
“w:devices:", "r:devices:”, “x:devices:*”

Is this correct? You can’t combine them?

Hi, @Davec!

They need to match the format of the ones you’ve whitelisted in the Developer Workspace.
This provides permissions for every device in the location, if you don’t include them, you only have permissions for the devices selected in your settings. You can verify this by checking the payload of the INSTALL REQUEST lifecycle to see the permissions included. If they have the device ID, your SmartApp token will only have access to those. For example:

INSTALL REQUEST: {
  "lifecycle": "INSTALL",
  "executionId": "3e0f6aa0-3e71-4bc8-6648-3e0584875d70",
  "appId": "c424c087-a45b-4a00-...",
  "locale": "en",
  "version": "0.1.0",
  "client": {...},
  "installData": {
    "authToken": "....",
    "refreshToken": "....",
    "installedApp": {
      "installedAppId": "2a90d2b6-bf24-...",
      "locationId": "7770e091-79cf-...",
      "config": {
        "numberSettings": [
          {
            "valueType": "STRING",
            "stringConfig": {
              "value": "2"
            }
          }
        ],
        ...
      },
      "permissions": [
        "x:devices:7dd1ae0e-fe07-46be-...",
        "r:devices:843e5ef4-e948-475f-...",
        "x:devices:8d29ad73-6f42-46f7-...",
        "r:devices:7dd1ae0e-fe07-46be-...",
        "x:devices:843e5ef4-e948-475f...",
        "r:devices:8d29ad73-6f42-46f7-..."
      ]
    }
  }

Did you try to create a subscription for other devices or a “capability” subscription which isn’t for a specific device?

Thanks, I will investigate the INSTALL Request

It subscribes to one device with ‘subscribeToDevices’
I then use executeCommand on a different device

And, was this command sent to another device selected in one of your settings?

Yep it was

Hi, @Davec!
Sorry for the delay, I’m following up on this issue.
I tried to replicate it but I couldn’t, my App’s definition looks like this:

app.enableEventLogging(2)  // Log and pretty-print all lifecycle events and responses
    .configureI18n()      // Use files from locales directory for configuration page localization
    .page('mainPage', (context, page, configData) => {
        page.section('sensors', section => {
           section.deviceSetting('driver').capabilities(['switch']).required(true);
        });
        
    })
    .updated(async (context, updateData) => {
        await context.api.subscriptions.unsubscribeAll();
        return Promise.all([
            context.api.subscriptions.subscribeToDevices(context.config.driver, 'switch', 'switch.on', 'onDeviceEventHandler'),
            context.api.subscriptions.subscribeToDevices(context.config.driver, 'switch', 'switch.off', 'offDeviceEventHandler')
        ])
    })
    .subscribedEventHandler('onDeviceEventHandler', async (context, deviceEvent) => {
        //....
    })
    .subscribedEventHandler('offDeviceEventHandler', async (context, deviceEvent) => {
        //....
    });    

Could you share yours to see what the issue is, please? It can be over DM for privacy

Argh So sorry, I wasn’t actually reporting a bug, more asking for clarification.

Since I posted, I have noticed that the documentation is clear that ‘write’ does not include ‘read’ or ‘execute’ (I have understood this correctly, right?)

SmartThings is behaving as per documentation, there is nothing for you to replicate

Sorry for wasting your time