Permissions
There is a distinct division between permissions and scopes. Permissions control access to YOUnite resource (i.e endpoints) and scopes control access to the data behind the /domains and /dr endpoints.
When a zone is created, the zone users 1) Zone IT Admin (admin) and 2) Zone Data Steward (ZDS) are given appropriate permissions based on their respective roles. The admin can grant permissions to most of the resources in the zone. The remainder of the permissions, which are data related, are granted by the ZDS.
Resource permissions granted to zone users (users) are restricted by default. Permissions can be granted to a resource by specifying:
- The "ALLOW" type of permission
- The URI location
- The REST action. Possible actions mirror the REST verbs available at the resource and the special case ANY which is a shortcut for "all vebs":
- GET
- PUT
- POST
- DELETE
- ANY
Examples
Allow a user to view all of the adaptors in the zone identified by UUID 18e1f27a-36b5-472f-a03c-6831fb78f97a.
{
"type": "ALLOW",
"action": "GET",
"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors"
}
This request can now be made by the user:
GET /zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors
However, would not allow the user to view the individual adaptor resource details. For example, if the zone had an adaptor identified by the UUID 7c11c574-0e35-4c78-b572-222952156ac8, this request would be denied:
GET /zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/7c11c574-0e35-4c78-b572-222952156ac8
To allow the user access to an individual adaptor:
{
"type": "ALLOW",
"action": "GET",
"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/7c11c574-0e35-4c78-b572-222952156ac8"
}
To allow the user detailed access to all adaptors in the zone, use the '*' wildcard:
{
"type": "ALLOW",
"action": "GET",
"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/*"
}
However, for some resources this may not be desirable since it would allow access resources that should be accessed by only the admin. For example:
GET /zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/7c11c574-0e35-4c78-b572-222952156ac8/registration
If the requirement is to grant a user detailed access to adaptors in a zone (beyond what is returned with GET /zones/zone-uuid/adaptors) but not grant access to the adaptor's registration information, then permission to each adaptor in the zone needs to be granted:
{
"type": "ALLOW",
"action": "GET",
"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors"
},
{
"type": "ALLOW",
"action": "GET",
"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/7c11c574-0e35-4c78-b572-222952156ac8"
},
{
"type": "ALLOW",
"action": "GET",
"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/ae91d787-65c9-4f24-bff4-e3acbd6161bb"
}
Assume the zone has three adaptors and the user has the following permissions:
{
"type": "ALLOW",
"action": "GET",
"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors"
},
{
"type": "ALLOW",
"action": "GET",
"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/7c11c574-0e35-4c78-b572-222952156ac8"
},
{
"type": "ALLOW",
"action": "GET",
"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/ae91d787-65c9-4f24-bff4-e3acbd6161bb"
}
The following request would return limited information on all three adaptors
GET /zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors
[
{ ....
"uuid": "7c11c574-0e35-4c78-b572-222952156ac8",
....
},
{ ....
"uuid": "ae91d787-65c9-4f24-bff4-e3acbd6161bb",
....
},
{ ....
"uuid": "ca445ebd-ffcb-4001-9d63-19e773a95fce",
....
}
]
And detailed access to either adaptor specified in the permissions (ending in ac8 and 1bb) would be allowed but the following request would be denied:
GET /zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/ca445ebd-ffcb-4001-9d63-19e773a95fce
This allows information about the adaptors to be shared but limits the access to the sensitive registration information about the adaptor.