...
- The "ALLOW" type of permission
- The URI location
- The REST action. Possible actions mirror the REST verbs available at the resource and the special case ANY which is a shortcut for "all vebs":
Examples
Allow a user to view the groups in a zone:
Code Block |
---|
|
{
"type": "ALLOW",
"action": "GET",
"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/groups"
} |
For example:
Code Block |
---|
|
GET /zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/groups |
Use the "*" wildcard to allow a user to get groups details in a zone:
Code Block |
---|
|
{
"type": "ALLOW",
"action": "GET",
"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/groups/*"
} |
For example, get the group with UUID ...c13:
Code Block |
---|
|
GET /zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/groups/9e463a36-5dd7-4440-8a90-94ce32e06c13 |
The wildcard character works recursively and allows the user access to the sub-resources as well:
Code Block |
---|
|
GET /zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/groups/9e463a36-5dd7-4440-8a90-94ce32e06c13/permissions |
Special Cases
Typically, permissions end with a the resource name, "/" or "/*" however there are cases where individual resource permissions need to be specified e.g.:
Code Block |
---|
|
{
"type": "ALLOW",
"action": "GET",
"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/7c11c574-0e35-4c78-b572-222952156ac8"
} |
Limited Access to Resources
You may want to allow a user a restricted view to a resource. For example:
This permission allow a user to view all of the adaptors in the zone identified by UUID 18e1f27a-36b5-472f-a03c-6831fb78f97a.
Code Block |
---|
|
{
"type": "ALLOW",
"action": "GET",
"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors"
} |
...
Code Block |
---|
|
GET /zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors |
However, this would not allow the user to view the individual adaptor resource details. For example, if the zone had an adaptor identified by the UUID 7c11c574-0e35-4c78-b572-222952156ac8, this request would be denied:
...
Code Block |
---|
|
{
"type": "ALLOW",
"action": "GET",
"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/*"
} |
...
Sensitive Sub Resource Access
GET /.../* may not be desirable desireable since it would allow access resources that should be accessed by only the admin. For example:
...