Versions Compared

Old Version 7

changes.mady.by.user Mark Fitzpatrick

Saved on

compared with

New Version 8

changes.mady.by.user Mark Fitzpatrick

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. The "ALLOW" type of permission
  2. The URI location
  3. The REST action. Possible actions mirror the REST verbs available at the resource and the special case ANY which is a shortcut for "all vebs":
    • GET
    • PUT
    • POST
    • DELETE
    • ANY

Examples

Allow a user to view the groups in a zone:

Code Block
languagejs
{
	"type": "ALLOW",
	"action": "GET",
	"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/groups"
}

For example:

Code Block
languagejs
GET /zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/groups

Use the "*" wildcard to allow a user to get groups details in a zone:

Code Block
languagejs
{
	"type": "ALLOW",
	"action": "GET",
	"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/groups/*"
}

For example, get the group with UUID ...c13:

Code Block
languagejs
GET /zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/groups/9e463a36-5dd7-4440-8a90-94ce32e06c13

The wildcard character works recursively and allows the user access to the sub-resources as well:

Code Block
languagejs
GET /zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/groups/9e463a36-5dd7-4440-8a90-94ce32e06c13/permissions

Special Cases

Typically, permissions end with a the resource name, "/" or "/*" however there are cases where individual resource permissions need to be specified e.g.:

Code Block
languagejs
{
	"type": "ALLOW",
	"action": "GET",
	"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/7c11c574-0e35-4c78-b572-222952156ac8"
}


Limited Access to Resources

You may want to allow a user a restricted view to a resource. For example:

This permission allow a user to view all of the adaptors in the zone identified by UUID 18e1f27a-36b5-472f-a03c-6831fb78f97a.

Code Block
languagejs
{
	"type": "ALLOW",
	"action": "GET",
	"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors"
}

...

Code Block
languagejs
GET /zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors


However,  this would not allow the user to view the individual adaptor resource details. For example, if the zone had an adaptor identified by the UUID 7c11c574-0e35-4c78-b572-222952156ac8, this request would be denied:

...

Code Block
languagejs
{
	"type": "ALLOW",
	"action": "GET",
	"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/*"
}

...

Sensitive Sub Resource Access

GET /.../* may not be desirable desireable since it would allow access resources that should be accessed by only the admin. For example:

...