Child pages
  • Authorization
Skip to end of metadata
Go to start of metadata

Concepts

LinkSmart® LocalConnect implements a simple rule-based authorization that can be used to implement access control in the services (e.g., Resource Catalog).

Configuration

The configuration is an optional part of the authentication configuration, and has the following format:

{
    "rules": [
        {
            "resources": ["string"],
            "methods": ["string"],
            "users": ["string"],
            "groups": ["string"]
        }
    ]
}


where:

  • rules is an array of rules, each defined by following parameters:
    • resources is an array of resources (api endpoints) to which the rule apply
    • methods is an array of HTTP methods to which the rule apply
    • users is an array of users to which the rule apply
    • groups is an array of users to which the rule apply

A request will be authorized if it matches the resourcemethod, and either of user or group given in a single rule. The authorization is given if any of the rules match (rules do notoverride each other).

Example

{
    "rules": [
        {
            "resources": ["/rc"],
            "methods": ["GET"],
            "users": ["fit"],
            "groups": ["admin"]
        },
        {
            "resources": ["/rc"],
            "methods": ["POST", "PUT", "DELETE"],
            "users": [],
            "groups": ["admin"]
        }
    ]
}


Given the set of rules in the example above:
* user fit can perform GET requests on resources with path starting with /rc
* a user from group admin can perform GETPOSTPUT and DELETE requests on resources with path starting with /rc

Public Access

An API can open public access to certain endpoints or methods by creating a rule for group "anonymous".

Example

{
    "rules": [
        {
            "resources": ["/rc"],
            "methods": ["GET"],
            "groups": ["anonymous"]
        },
        {
            "resources": ["/rc"],
            "methods": ["GET", "POST", "PUT", "DELETE"],
            "groups": ["admin"]
        }
    ]
}


Given the set of rules in the example above:
* an unauthenticated user can perform GET requests on resources with path starting with /rc
* a user from group admin can perform GETPOSTPUT and DELETE requests on resources with path starting with /rc

  • No labels