Versions Compared

Old Version 21

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Mark Fitzpatrick

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Users

Groups

Roles

Permissions

When talking about zone management and users, groups, roles, and permissions, it is useful to remember there is a distinct division between permissions and scopes. Permissions control access to a YOUnite resource (i.e endpoints) and scopes control access to the data behind the /domains and /dr endpoints.

...

  1. The "ALLOW" type of permission
  2. The URI location
    1. The URI can contain the * wildcard character.
  3. The REST action. Possible actions mirror the REST verbs available at the resource and the special case ALL, which is a shortcut for "all verbs":
    • GET
    • PUT
    • POST
    • DELETE
    • ALL

Examples

To allow a user to view the groups in a zone:

...

Code Block
languagejs
GET /zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/groups/9e463a36-5dd7-4440-8a90-94ce32e06c13/permissions

Special Cases

Typically, permissions end with the wildcard "*" e.g.  /zones/zone-uuid/users/*. However, there are cases where permissions end with:

...

Individual resource access is needed at times when sub-resources contain sensitive information as described below in "Zone Management: Users, Groups, Roles & PermissionsSensitive Sub Resource Access."

Access by Resource Name

This permission allows a user to view all of the adaptors in the zone (identified by UUID 18e1f27a-36b5-472f-a03c-6831fb78f97a in the example below).

...

Code Block
languagejs
GET /zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/7c11c574-0e35-4c78-b572-222952156ac8
Access by Individual Resource

This permission allows the user access to an individual adaptor, but not that adaptor's resource details.

...

This is in contrast to allowing the user detailed access to all adaptors in the zone, using the ' * ' wildcard, which does allow the user access to that adaptor's resource details.

Code Block
languagejs
{
	"type": "ALLOW",
	"action": "GET",
	"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/*"
}
Sensitive Sub Resource Access

...

NOTE: The examples below demonstrate how to manage secure access with the adaptors resource but similar situations could apply with other resources.

...

Code Block
languagejs
{
	"type": "ALLOW",
	"action": "GET",
	"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors"
},
{
	"type": "ALLOW",
	"action": "GET",
	"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/7c11c574-0e35-4c78-b572-222952156aaa/*"
},
{
	"type": "ALLOW",
	"action": "GET",
	"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/ae91d787-65c9-4f24-bff4-e3acbd616bbb"
}

...