...
Typically, permissions end with a the resource name or wildcard "/*" e.g. /zones/zone-uuid/users or /zones/zone-uuid/users/*. However, there are cases where individual resource permissions need to be specified permissions end with:
- The resource name e.g. e.g.
...
language | js |
---|
...
- /zones/zone-uuid/users
- Individual resource e.g. /zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/7c11c574-0e35-4c78-b572-222952156ac8
...
Limited Access to Resources
...
Individual resource access is needed at times when sub-resources contain sensitive information as described below in "Sensitive Sub Resource Access."
Access by Resource Name
This permission allow a user to view all of the adaptors in the zone identified by UUID 18e1f27a-36b5-472f-a03c-6831fb78f97a.
...
Code Block | ||
---|---|---|
| ||
GET /zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/7c11c574-0e35-4c78-b572-222952156ac8 |
Access by Individual Resource
To allow the user access to an individual adaptor:
Code Block | ||
---|---|---|
| ||
{ "type": "ALLOW", "action": "GET", "resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/7c11c574-0e35-4c78-b572-222952156ac8" } |
To allow This is in contract to allowing the user detailed access to all adaptors in the zone, use using the '*' wildcard:
Code Block | ||
---|---|---|
| ||
{ "type": "ALLOW", "action": "GET", "resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/*" } |
...
If the requirement is to grant a user detailed access to adaptors in a zone (beyond what is returned with GET /zones/zone-uuid/adaptors) zone but not grant access to the adaptor's registration information, then permission to each to adaptor in the zone needs to must be granted on an adaptor by adaptor basis:
Code Block | ||
---|---|---|
| ||
{ "type": "ALLOW", "action": "GET", "resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors" }, { "type": "ALLOW", "action": "GET", "resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/7c11c574-0e35-4c78-b572-222952156ac8222952156aaa" }, { "type": "ALLOW", "action": "GET", "resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/ae91d787-65c9-4f24-bff4-e3acbd6161bbe3acbd616bbb" } |
Assume the zone has three adaptors and the user has the following permissions:
Code Block | ||
---|---|---|
| ||
{ "type": "ALLOW", "action": "GET", "resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors" }, { "type": "ALLOW", "action": "GET", "resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/7c11c574-0e35-4c78-b572-222952156ac8222952156aaa/*" }, { "type": "ALLOW", "action": "GET", "resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/ae91d787-65c9-4f24-bff4-e3acbd6161bbe3acbd616bbb" } |
The following request would return limited information on all three adaptors
...
Code Block | ||
---|---|---|
| ||
[ { .... "uuid": "7c11c574-0e35-4c78-b572-222952156ac8222952156aaa", .... }, { .... "uuid": "ae91d787-65c9-4f24-bff4-e3acbd6161bbe3acbd616bbb", .... }, { .... "uuid": "ca445ebd-ffcb-4001-9d63-19e773a95fce19e773a95ccc", .... } ] |
And detailed access to either adaptor specified in the permissions (ending in ac8 aaa and 1bbbbb) would be allowed but the following request would be denied:
Code Block | ||
---|---|---|
| ||
GET /zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/ca445ebd-ffcb-4001-9d63-19e773a95fce-19e773a95ccc |
Since the user's permission setting for the adaptor ending in aaa has the wildcard permission, the user could see the registration details for this adaptor:
Code Block | ||
---|---|---|
| ||
GET /zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/7c11c574-0e35-4c78-b572-222952156aaa/registration |
But the user could not retrieve the registration details for the adaptor ending in bbb since the wildcard adaptor wasn't applied.
This allows information about the adaptors to be shared but limits the access to the sensitive registration information about the adaptor.
...