Access settings IAM

Location path

Path in the assembly catalog

/era_env/priv/metadata/iam_all.json

Overview

Access descriptor to REST-API (shared, authorized, and possibly role-based). Additionally can define the composition of generic roles available for assignment to users and roleapps in domains of any solos.

The composition of the access rules populates the individual access settings of specific soluschens, contributed to the solution/iam.json assembly of the soluschen.

Format:
[
  {
    "access": "public" | "authenticated" | "role",
    "role": "ROLE_NAME",
    "endpoints": [
       {
"url": str (for example "/rest/v1/iam/users"),
"methods: array<str> (for example, ["GET", "POST", "LOOKUP"])
       },
       ...
    ]
  },
  ...
]

For each item in the list, the access level is specified (access field), values:

  • public – endpoint and methods available without authorization.

  • authenticated – endpoint and methods available to any authorized user.

  • role – endpoint and methods available to users with a specific role. Additionally, a role is specified (role field), the role is specified arbitrarily. The specified roles will be available for assignment to users and role applications.

Each element contains a list of allowed endpoints (field "endpoints"), each endpoint in the list is specified as an object with fields:

  • "url" – relative path to endpoint, may contain wildcards: * - arbitrary path segment content, e.g. /abc/*/def, ** - arbitrary path termination, e.g. /abc/*.

  • "methods" – set of methods allowed for this endpoint. The methods may include HTTP-verbs (GET'’'), custom methods (LOOKUP'’'), and wildcard methods (``*'’'). All methods are listed in capital letters.

All methods and endpoints specified here set the filter to the full set of REST-API methods and endpoints implemented in the system. Non-existing methods and endpoints are ignored.

Example

  • Opens public access to resources and operations for browsing and session creation (authorization).

  • Allows all authorized users access to manage the session and view user roles.

  • Creates an admin role for all domains, exposing all methods of all endpoints to it.

Example:
[
  {
    "access": "public",
    "endpoints": [
      { "url": "/rest/v1/public/version", "methods": ["GET","OPTIONS"] },
      { "url": "/rest/v1/public/resources", "methods": ["GET","OPTIONS"] },
      { "url": "/rest/v1/public/resources/*", "methods": ["GET","OPTIONS"] },
      { "url": "/rest/v1/iam/sessions", "methods": ["POST","OPTIONS"] },
      { "url": "/rest/v1/iam/sessions/current", "methods": ["GET","OPTIONS"] }
    ]
  },
  {
    "access": "authenticated",
    "endpoints": [
      { "url": "/rest/v1/iam/sessions/current", "methods": ["GET","POST","DELETE","OPTIONS"] },
      { "url": "/rest/v1/iam/users/current", "methods": ["GET","OPTIONS"] },
      { "url": "/rest/v1/iam/roles", "methods": ["GET","OPTIONS"] }
    ]
  },
  {
    "access": "role",
    "role": "admin",
    "endpoints": [
      { "url": "/rest/**", "methods": ["*"] }
    ]
  }
]

See also

  • Personalization
  • Increase font size
  • Decrease font size