Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Permissions

There is a distinct division between permissions and scopes.  Permissions control access to YOUnite resource (i.e endpoints) and scopes control access to the data behind the /domains and /dr endpoints.

When a zone is created, the Zone IT Admin (admin) and the Zone Data Steward (ZDS) are given appropriate permissions based on their respective roles. The admin can grant permissions to most of the resources in the zone and the remainder, which are data related, are granted by the ZDS.

Permissions to resources are restricted by default. Permissions can be granted to a resource by specifying:

  1. The "ALLOW" type of permission
  2. The URI location
  3. The REST action. Possible actions mirror the REST verbs available at the resource and the special case ANY which is a shortcut for "all vebs":
    • GET
    • PUT
    • POST
    • DELETE
    • ANY

Examples

Allow a user to view all of the adaptors in the zone identified by UUID 18e1f27a-36b5-472f-a03c-6831fb78f97a.

{
	"type": "ALLOW",
	"action": "GET",
	"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors"
}


This would not allow the user to view the individual adaptor resource details. For example, if the zone had an adaptor identified by the UUID 7c11c574-0e35-4c78-b572-222952156ac8, this request would be denied:

GET /zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/7c11c574-0e35-4c78-b572-222952156ac8


To allow the user access to an individual adaptor:

{
	"type": "ALLOW",
	"action": "GET",
	"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/7c11c574-0e35-4c78-b572-222952156ac8"
}

To allow the user detailed access to all adaptors in the zone:


So… one of our underlying philosophies is that, “sure you can give permissions to view all of a given sub-resources in a zone” e.g. /zones/uuid/users” …


[10:50]

or… “all of the sub-resources sub resources” e.g. /zones/uuid/users/*73f26990-db53-47fe-a73f-734921ff323d

73f26990-db53-47fe-a73f-734921ff323d73f26990-db53-47fe-a73f-734921ff323d

[10:51]

but if you want to limit which sub-resources can be accessed you need to turn them on/off individually


Robbie Gehbauer

[10:52 AM]

makes sense to me


Mark Fitzpatrick [10:52 AM]

and until we have something like templates, you’ll need to make the appropriate settings when POSTing new resources


[10:53]

and to continue being philosophical…


[10:54]

There are these cases that seem redundant and the behavior needs to be understood e.g.


[10:54]

If a zoneUser has the permissions {


[10:54]

GET /zones/uuid/users


[10:55]

GET /zones/uuid/users/user1-uuid


[10:55]

}


[10:55]

(and say there are three zoneUsers in the zone)


[10:56]

One might think that GET /zones/uuid/users would only return user-1


[10:56]

but it would return all three users


[10:56]

GET /zones/uuid/users/user2-uuid would get an “Access Denied”


[10:57]

I think I feel a wiki page coming on

  • No labels