Users
Groups
Roles
Permissions
When talking about zone management and users, groups, roles, and permissions, it is useful to remember there is a distinct division between permissions and scopes. Permissions control access to a YOUnite resource (i.e endpoints) and scopes control access to the data behind the /domains and /dr endpoints.
...
- The "ALLOW" type of permission
- The URI location
- The URI can contain the
*wildcard character.
- The URI can contain the
- The REST action. Possible actions mirror the REST verbs available at the resource and the special case ALL, which is a shortcut for "all verbs":
- GET
- PUT
- POST
- DELETE
- ALL
Examples
To allow a user to view the groups in a zone:
...
| Code Block | ||
|---|---|---|
| ||
GET /zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/groups/9e463a36-5dd7-4440-8a90-94ce32e06c13/permissions |
Special Cases
Typically, permissions end with the wildcard "*" e.g. /zones/zone-uuid/users/*. However, there are cases where permissions end with:
...
Individual resource access is needed at times when sub-resources contain sensitive information as described below in "Zone Management: Users, Groups, Roles & PermissionsSensitive Sub Resource Access."
Access by Resource Name
This permission allows a user to view all of the adaptors in the zone (identified by UUID 18e1f27a-36b5-472f-a03c-6831fb78f97a in the example below).
...
| Code Block | ||
|---|---|---|
| ||
GET /zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/7c11c574-0e35-4c78-b572-222952156ac8 |
Access by Individual Resource
This permission allows the user access to an individual adaptor, but not that adaptor's resource details.
...
| Code Block | ||
|---|---|---|
| ||
{
"type": "ALLOW",
"action": "GET",
"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/*"
} |
Sensitive Sub Resource Access
...
NOTE: The examples below demonstrate how to manage secure access with the adaptors resource but similar situations could apply with other resources.
...