...
When a zone is created, the zone users 1) Zone IT Admin (admin) and the 2) Zone Data Steward (ZDS) are given appropriate permissions based on their respective roles. The admin can grant permissions to most of the resources in the zone and the remainder. The remainder of the permissions, which are data related, are granted by the ZDS.
Permissions to resources Resource permissions granted to zone users (users) are restricted by default. Permissions can be granted to a resource by specifying:
...
| Code Block |
|---|
|
{
"type": "ALLOW",
"action": "GET",
"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors"
} |
This request can now be made by the user:
| Code Block |
|---|
|
GET /zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors |
However, would not allow the user to view the individual adaptor resource details. For example, if the zone had an adaptor identified by the UUID 7c11c574-0e35-4c78-b572-222952156ac8, this request would be denied:
...
To allow the user detailed access to all adaptors in the zone, use the '*' wildcard:
| Code Block |
|---|
|
{
"type": "ALLOW",
"action": "GET",
"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/*"
} |
However, for some resources this may not be desirable since it would allow access resources that should be accessed by only the admin. For example:
So… one of our underlying philosophies is that, “sure you can give permissions to view all of a given sub-resources in a zone” e.g. /zones/uuid/users” …
| Code Block |
|---|
|
| Code Block |
|---|
|
| Code Block |
|---|
|
| Code Block |
|---|
| language | jsGET /zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/7c11c574-0e35-4c78-b572-222952156ac8/registration |
|---|
If the requirement is to grant a user detailed access to adaptors in a zone (beyond what is returned with GET /zones/zone-uuid/adaptors) but not grant access to the adaptor's registration information, then permission to each adaptor in the zone needs to be granted:
| Code Block |
|---|
|
{
"type": "ALLOW",
"action": "GET",
"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors"
},
{
"type": "ALLOW",
"action": "GET",
"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/7c11c574-0e35-4c78-b572-222952156ac8"
},
{
"type": "ALLOW",
"action": "GET",
"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/ae91d787-65c9-4f24-bff4-e3acbd6161bb"
} |
Assume the zone has three adaptors and the user has the following permissions:
| Code Block |
|---|
|
{
"type": "ALLOW",
"action": "GET",
"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors"
},
{
"type": "ALLOW",
"action": "GET",
"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/7c11c574-0e35-4c78-b572-222952156ac8"
},
{
"type": "ALLOW",
"action": "GET",
"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/ae91d787-65c9-4f24-bff4-e3acbd6161bb"
} |
The following request would return limited information on all three adaptors
| Code Block |
|---|
|
GET /zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors |
...