Controlling Access
Access to resources on the platform is controlled through access control lists (ACLs) on the resource object models. Each resource on the platform has an acl property containing a list of identities created in the account management console, such as workgroups. The presence of an identity in the resource model ACL allows requestors with a membership in that identity to access the resource according to the given set of permissions granted within that membership. The tenant identity of the resource creator is always added to the resource ACL to prevent inaccessible resources by always permitting tenant administrators access to the resource.
Actions on the platform are performed in the context of an identity with a set of permissions. Upon initial login to the platform using default settings, users act in the context of their individual user identity. When operating within a shared context, such as a project or workgroup, the ACL on resources created will contain the shared context identity and other users with a membership in the shared context will be able to perform operations on those resources.
Each context identity contains a prefix indicating the context type followed by a global unique identifier.
| Context Type | Example Identity |
|---|---|
Tenant | tid:EXAMPLE |
Project | cid:EXAMPLE |
Workgroup | wid:EXAMPLE |
User | uid:EXAMPLE |
Upon logging into the platform via the command-line interface (CLI) using default options, requests to the platform are made in the individual user context. Context is switched in the CLI using the workgroups enter and projects enter commands. Upon entering a workgroup or a project, requests are made in that context. When using the UI, a project context is entered upon clicking on a project and entering that view.
ℹ️ Important
The platform GUI only shows project contexts. When using the CLI, the project context must be used with the corresponding GUI project in order for those resources to show in the platform GUI.
Identity Context
Actions performed on the platform require logging in to an identity context. The default context when logging in through the command-line interface is the individual user context. The platform operations are authorized using a JSON Web Token (JWT) with a payload indicating the requestor's acting context. The JWT payload contains specific claims indicating the ACL to be added to resources created and identity memberships with associated permissions to indicate which resources will be accessible to the requestor.
| JWT Claim | Description |
|---|---|
acl | List of identities to be added to the ACL of resources created |
mem | Identity memberships with associated permissions according to indices of permissions in the scopes claim |
scopes | List of scopes available to memberships (collation of permissions across all memberships in JWT) |
Example JWT Payload:
Resources created will contain an ACL that matches the ACL in the JWT payload.
Sharing Resources
Updating ACLs on resources through the CLI will cause problems when attempting to access the resources through the platform GUI. It's recommended to utilize the GUI for sharing resources.
In order to change the ACL of a resource after it's been created, the requestor must have GRANT permission on the resource. The resource model can be updated from the command-line interface using the update command with the --acl flag containing a list of the identities to be included on the resource ACL. The update operation will replace all identities except the tenant identity. In order to retain the existing ACL, the resource model should be retrieved and the identities on the ACL should be included in the request to update the resource.
Sharing resources by updating the ACL should be done with caution. Adding an identity to the resource ACL grants users with a membership in the identity permission to the resource according to the permission they have in the context of that identity.
Last updated