eclipse-ditto · thjaeckle · Feb 27, 2026 · Feb 18, 2026 · Feb 20, 2026 · Feb 20, 2026
diff --git a/.../service/signaltransformer/placeholdersubstitution/AbstractTypedSubstitutionStrategy.java b/.../service/signaltransformer/placeholdersubstitution/AbstractTypedSubstitutionStrategy.java
@@ -72,8 +72,9 @@ protected static PolicyEntry substitutePolicyEntry(final PolicyEntry existingPol
         if (existingSubjects.equals(substitutedSubjects)) {
             resultEntry = existingPolicyEntry;
         } else {
-            resultEntry = PolicyEntry.newInstance(existingPolicyEntry.getLabel(), substitutedSubjects,
-                    existingPolicyEntry.getResources());
+            resultEntry = PoliciesModelFactory.newPolicyEntry(existingPolicyEntry.getLabel(), substitutedSubjects,
+                    existingPolicyEntry.getResources(), existingPolicyEntry.getImportableType(),
+                    existingPolicyEntry.getAllowedImportAdditions());
         }
 
         return resultEntry;

diff --git a/documentation/src/main/resources/openapi/ditto-api-2.yml b/documentation/src/main/resources/openapi/ditto-api-2.yml
diff --git a/documentation/src/main/resources/openapi/sources/api-2-index.yml b/documentation/src/main/resources/openapi/sources/api-2-index.yml
@@ -129,10 +129,20 @@ paths:
     $ref: "./paths/policies/resources.yml"
   '/api/2/policies/{policyId}/entries/{label}/resources/{resourcePath}':
     $ref: "./paths/policies/resource.yml"
+  '/api/2/policies/{policyId}/entries/{label}/allowedImportAdditions':
+    $ref: "./paths/policies/allowedImportAdditions.yml"
+  '/api/2/policies/{policyId}/entries/{label}/importable':
+    $ref: "./paths/policies/importable.yml"
   '/api/2/policies/{policyId}/imports':
     $ref: "./paths/policies/imports.yml"
   '/api/2/policies/{policyId}/imports/{importedPolicyId}':
     $ref: "./paths/policies/import.yml"
+  '/api/2/policies/{policyId}/imports/{importedPolicyId}/entries':
+    $ref: "./paths/policies/importEntries.yml"
+  '/api/2/policies/{policyId}/imports/{importedPolicyId}/entriesAdditions':
+    $ref: "./paths/policies/entriesAdditions.yml"
+  '/api/2/policies/{policyId}/imports/{importedPolicyId}/entriesAdditions/{label}':
+    $ref: "./paths/policies/entryAddition.yml"
 
   ###
   ### Who Am I
@@ -424,6 +434,12 @@ components:
       $ref: "./schemas/policies/resourceEntry.yml"
     Permission:
       $ref: "./schemas/policies/permission.yml"
+    AllowedImportAdditions:
+      $ref: "./schemas/policies/allowedImportAdditions.yml"
+    EntriesAdditions:
+      $ref: "./schemas/policies/entriesAdditions.yml"
+    EntryAddition:
+      $ref: "./schemas/policies/entryAddition.yml"
     SubjectAnnouncement:
       $ref: "./schemas/policies/subjectAnnouncement.yml"
     Features:

diff --git a/documentation/src/main/resources/openapi/sources/paths/policies/allowedImportAdditions.yml b/documentation/src/main/resources/openapi/sources/paths/policies/allowedImportAdditions.yml
@@ -0,0 +1,144 @@
+# Copyright (c) 2026 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+get:
+  summary: Retrieve the allowed import additions for a specific policy entry
+  description: |-
+    Returns the allowed import additions of the policy entry identified by the
+    `policyId` path parameter and the `label` path parameter.
+
+    Allowed import additions control which types of additions (subjects, resources) are permitted
+    when this entry is imported by other policies via `entriesAdditions`.
+  tags:
+    - Policies
+  parameters:
+    - $ref: '../../parameters/policyIdPathParam.yml'
+    - $ref: '../../parameters/labelPathParam.yml'
+    - $ref: '../../parameters/ifMatchHeaderParamHash.yml'
+    - $ref: '../../parameters/ifNoneMatchHeaderParam.yml'
+    - $ref: '../../parameters/timeoutParam.yml'
+  responses:
+    '200':
+      description: The request successfully returned. The allowed import additions are returned.
+      headers:
+        ETag:
+          description: |-
+            The (current server-side) ETag for this (sub-)resource. For top-level resources it is in the format
+            "rev:[revision]", for sub-resources it has the format "hash:[calculated-hash]".
+          schema:
+            type: string
+      content:
+        application/json:
+          schema:
+            $ref: '../../schemas/policies/allowedImportAdditions.yml'
+    '304':
+      $ref: '../../responses/notModified.yml'
+    '400':
+      description: |-
+        The request could not be completed. Possible reasons:
+
+           * the `policyId` does not conform to the namespaced entity ID notation (see [Ditto documentation on namespaced entity IDs](https://www.eclipse.dev/ditto/basic-namespaces-and-names.html#namespaced-id))
+      content:
+        application/json:
+          schema:
+            $ref: '../../schemas/errors/advancedError.yml'
+    '401':
+      description: The request could not be completed due to missing authentication.
+      content:
+        application/json:
+          schema:
+            $ref: '../../schemas/errors/advancedError.yml'
+    '404':
+      description: |-
+        The request could not be completed. The policy with the given ID or
+        the policy entry was not found in the context of the authenticated
+        user.
+      content:
+        application/json:
+          schema:
+            $ref: '../../schemas/errors/advancedError.yml'
+    '412':
+      $ref: '../../responses/preconditionFailed.yml'
+put:
+  summary: Modify the allowed import additions for a specific policy entry
+  description: |-
+    Modify the allowed import additions of the policy entry identified by the
+    `policyId` path parameter and the `label` path parameter.
+
+    Allowed import additions control which types of additions (subjects, resources) are permitted
+    when this entry is imported by other policies via `entriesAdditions`. Setting an empty array
+    disables all additions for this entry.
+  tags:
+    - Policies
+  parameters:
+    - $ref: '../../parameters/policyIdPathParam.yml'
+    - $ref: '../../parameters/labelPathParam.yml'
+    - $ref: '../../parameters/ifMatchHeaderParamHash.yml'
+    - $ref: '../../parameters/ifNoneMatchHeaderParam.yml'
+    - $ref: '../../parameters/ifEqualHeaderParam.yml'
+    - $ref: '../../parameters/timeoutParam.yml'
+    - $ref: '../../parameters/responseRequiredParam.yml'
+  responses:
+    '204':
+      description: The allowed import additions were successfully updated.
+      headers:
+        ETag:
+          description: |-
+            The (current server-side) ETag for this (sub-)resource. For top-level resources it is in the format
+            "rev:[revision]", for sub-resources it has the format "hash:[calculated-hash]".
+          schema:
+            type: string
+    '400':
+      description: |-
+        The request could not be completed. Possible reasons:
+
+           * the `policyId` does not conform to the namespaced entity ID notation (see [Ditto documentation on namespaced entity IDs](https://www.eclipse.dev/ditto/basic-namespaces-and-names.html#namespaced-id))
+         * the JSON body of the allowed import additions is invalid
+      content:
+        application/json:
+          schema:
+            $ref: '../../schemas/errors/advancedError.yml'
+    '401':
+      description: The request could not be completed due to missing authentication.
+      content:
+        application/json:
+          schema:
+            $ref: '../../schemas/errors/advancedError.yml'
+    '403':
+      description: |-
+        The request could not be completed. Possible reasons:
+        * the caller has insufficient permissions.
+          You need `WRITE` permission on the `policy:/entries/{label}/allowedImportAdditions` resource,
+          without any revoke in a deeper path of the policy resource.
+      content:
+        application/json:
+          schema:
+            $ref: '../../schemas/errors/advancedError.yml'
+    '404':
+      description: |-
+        The request could not be completed. The policy with the given ID was
+        not found in the context of the authenticated user.
+      content:
+        application/json:
+          schema:
+            $ref: '../../schemas/errors/advancedError.yml'
+    '412':
+      $ref: '../../responses/preconditionFailed.yml'
+    '413':
+      $ref: '../../responses/entityTooLarge.yml'
+  requestBody:
+    content:
+      application/json:
+        schema:
+          $ref: '../../schemas/policies/allowedImportAdditions.yml'
+        example: [ "subjects", "resources" ]
+    description: |-
+      JSON array of allowed import addition types.
+    required: true
diff --git a/documentation/src/main/resources/openapi/sources/paths/policies/entriesAdditions.yml b/documentation/src/main/resources/openapi/sources/paths/policies/entriesAdditions.yml
@@ -0,0 +1,155 @@
+# Copyright (c) 2026 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+get:
+  summary: Retrieve all entries additions of a specific policy import
+  description: |-
+    Returns the entries additions of the policy import identified by the `policyId` path
+    parameter and the `importedPolicyId` path parameter.
+
+    Entries additions define additional subjects and/or resources to be additively merged
+    into imported policy entries.
+  tags:
+    - Policies
+  parameters:
+    - $ref: '../../parameters/policyIdPathParam.yml'
+    - $ref: '../../parameters/importedPolicyIdPathParam.yml'
+    - $ref: '../../parameters/ifMatchHeaderParamHash.yml'
+    - $ref: '../../parameters/ifNoneMatchHeaderParam.yml'
+    - $ref: '../../parameters/timeoutParam.yml'
+  responses:
+    '200':
+      description: The request successfully returned. The entries additions are returned.
+      headers:
+        ETag:
+          description: |-
+            The (current server-side) ETag for this (sub-)resource. For top-level resources it is in the format
+            "rev:[revision]", for sub-resources it has the format "hash:[calculated-hash]".
+          schema:
+            type: string
+      content:
+        application/json:
+          schema:
+            $ref: '../../schemas/policies/entriesAdditions.yml'
+    '304':
+      $ref: '../../responses/notModified.yml'
+    '400':
+      description: |-
+        The request could not be completed. Possible reasons:
+
+          * the `policyId` or the `importedPolicyId` does not conform to the namespaced entity ID notation (see [Ditto documentation on namespaced entity IDs](https://www.eclipse.dev/ditto/basic-namespaces-and-names.html#namespaced-id))
+      content:
+        application/json:
+          schema:
+            $ref: '../../schemas/errors/advancedError.yml'
+    '401':
+      description: The request could not be completed due to missing authentication.
+      content:
+        application/json:
+          schema:
+            $ref: '../../schemas/errors/advancedError.yml'
+    '404':
+      description: |-
+        The request could not be completed. The policy with the given ID or
+        the policy import was not found in the context of the authenticated
+        user.
+      content:
+        application/json:
+          schema:
+            $ref: '../../schemas/errors/advancedError.yml'
+    '412':
+      $ref: '../../responses/preconditionFailed.yml'
+put:
+  summary: Modify all entries additions of a specific policy import
+  description: |-
+    Modify the entries additions of the policy import identified by the `policyId` path
+    parameter and the `importedPolicyId` path parameter.
+
+    Entries additions define additional subjects and/or resources to be additively merged
+    into imported policy entries. The imported policy entries must explicitly allow these
+    additions via their "allowedImportAdditions" field.
+  tags:
+    - Policies
+  parameters:
+    - $ref: '../../parameters/policyIdPathParam.yml'
+    - $ref: '../../parameters/importedPolicyIdPathParam.yml'
+    - $ref: '../../parameters/ifMatchHeaderParamHash.yml'
+    - $ref: '../../parameters/ifNoneMatchHeaderParam.yml'
+    - $ref: '../../parameters/ifEqualHeaderParam.yml'
+    - $ref: '../../parameters/timeoutParam.yml'
+    - $ref: '../../parameters/responseRequiredParam.yml'
+  responses:
+    '204':
+      description: The entries additions were successfully updated.
+      headers:
+        ETag:
+          description: |-
+            The (current server-side) ETag for this (sub-)resource. For top-level resources it is in the format
+            "rev:[revision]", for sub-resources it has the format "hash:[calculated-hash]".
+          schema:
+            type: string
+    '400':
+      description: |-
+        The request could not be completed. Possible reasons:
+
+          * the `policyId` or the `importedPolicyId` does not conform to the namespaced entity ID notation (see [Ditto documentation on namespaced entity IDs](https://www.eclipse.dev/ditto/basic-namespaces-and-names.html#namespaced-id))
+          * the JSON body of the entries additions is invalid
+      content:
+        application/json:
+          schema:
+            $ref: '../../schemas/errors/advancedError.yml'
+    '401':
+      description: The request could not be completed due to missing authentication.
+      content:
+        application/json:
+          schema:
+            $ref: '../../schemas/errors/advancedError.yml'
+    '403':
+      description: |-
+        The request could not be completed. Possible reasons:
+        * the caller has insufficient permissions.
+          You need `WRITE` permission on the `policy:/imports/{importedPolicyId}` resource,
+          without any revoke in a deeper path of the policy resource.
+        * the imported policy entries do not allow the specified additions via their
+          "allowedImportAdditions" field.
+      content:
+        application/json:
+          schema:
+            $ref: '../../schemas/errors/advancedError.yml'
+    '404':
+      description: |-
+        The request could not be completed. The policy with the given ID or
+        the policy import was not found in the context of the authenticated
+        user.
+      content:
+        application/json:
+          schema:
+            $ref: '../../schemas/errors/advancedError.yml'
+    '412':
+      $ref: '../../responses/preconditionFailed.yml'
+    '413':
+      $ref: '../../responses/entityTooLarge.yml'
+  requestBody:
+    content:
+      application/json:
+        schema:
+          $ref: '../../schemas/policies/entriesAdditions.yml'
+        example:
+          default:
+            subjects:
+              "integration:my-connection":
+                type: "generated"
+            resources:
+              "thing:/features":
+                grant: [ "READ" ]
+                revoke: []
+    description: |-
+      JSON representation of the entries additions.
+    required: true