Users
Groups
Roles
Permissions
When talking about zone management and users, groups, roles, and permissions, it is useful to remember there is a distinct division between permissions and scopes. Permissions control access to a YOUnite resource (i.e endpoints) and scopes control access to the data behind the /domains
and /dr
endpoints.
...
- The "ALLOW" type of permission
- The URI location
- The URI can contain the
*
wildcard character.
- The URI can contain the
- The REST action. Possible actions mirror the REST verbs available at the resource and the special case ALL, which is a shortcut for "all verbs":
- GET
- PUT
- POST
- DELETE
- ALL
Examples
To allow a user to view the groups in a zone:
...
Code Block | ||
---|---|---|
| ||
GET /zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/groups/9e463a36-5dd7-4440-8a90-94ce32e06c13/permissions |
Special Cases
Typically, permissions end with the wildcard "*" e.g. /zones/zone-uuid/users/*. However, there are cases where permissions end with:
...
Individual resource access is needed at times when sub-resources contain sensitive information as described below in "Zone Management: Users, Groups, Roles & PermissionsSensitive Sub Resource Access."
Access by Resource Name
This permission allows a user to view all of the adaptors in the zone (identified by UUID 18e1f27a-36b5-472f-a03c-6831fb78f97a in the example below).
...
Code Block | ||
---|---|---|
| ||
GET /zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/7c11c574-0e35-4c78-b572-222952156ac8 |
Access by Individual Resource
This permission allows the user access to an individual adaptor, but not that adaptor's resource details.
...
This is in contrast to allowing the user detailed access to all adaptors in the zone, using the ' * ' wildcard, which does allow the user access to that adaptor's resource details.
Code Block | ||
---|---|---|
| ||
{ "type": "ALLOW", "action": "GET", "resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/*" } |
Sensitive Sub Resource Access
...
NOTE: The examples below demonstrate how to manage secure access with the adaptors resource but similar situations could apply with other resources.
...
Code Block | ||
---|---|---|
| ||
{
"type": "ALLOW",
"action": "GET",
"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors"
},
{
"type": "ALLOW",
"action": "GET",
"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/7c11c574-0e35-4c78-b572-222952156aaa/*"
},
{
"type": "ALLOW",
"action": "GET",
"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/ae91d787-65c9-4f24-bff4-e3acbd616bbb"
} |
...