Access policies
Access Policies ensure that we provide specific access to resources for users. You may want to open publicly the read access for an entity while limiting creation to logged in users for example.
Acces policies are a way to implement Authorization following the RBAC (Role-Based Access Control) method. Indeed it is possible to create different entities (ex: User, Manager...) with different access to resources.
Policies can be added to entities or endpoints.
Syntaxโ
The policies for each rule can be added to each entity description as shown below:
entities:
Invoice ๐งพ:
properties:
- number
- { name: issueDate, type: date }
policies:
create:
- { access: restricted, allow: User } # Only logged in users can create.
read:
- access: public # All read endpoints are public.
update:
- access: admin # Only logged in admins can update.
delete:
- access: forbidden # No one can delete (even admins!)
In this case, everyone can see the Invoice items, only logged-in Users can create new ones. Updating an Invoice is restricted to Admins only and no one can delete them (not even Admins).
By default, all rules access are set to admin and thus only visible by logged-in Admins.
| Prop | Description | Type |
|---|---|---|
| access | The type of access: public, restricted, admin, forbidden | AccessType |
| allow | Only for restricted access: the entity (or entities) that have access | string | string[] |
Access typesโ
There are 4 possible access types:
| Access | Description | Short version (emoji) |
|---|---|---|
| public | Everyone has access | ๐ |
| restricted | Only logged-in users have access to it. If allow key specifies one or several entities, users logged in as other entities will not have access. Admins always have access to restricted rules | ๐ |
| admin | Only admins have access | ๐จ๐ปโ๐ป |
| forbidden | No one has access, not even admins | ๐ซ |
Entity rulesโ
Each entity has 5 rules where one or several access policies can be applied:
- create: create a new item
- read: see the detail and the list of items
- update: update an existing item
- delete: delete an existing item
- signup: sign up as a new user (only for authenticable entities)
By default, all rules have the admin access type
Additional examplesโ
entities:
Project ๐๏ธ:
properties:
- name
policies:
read:
- { access: restricted, allow: [Contributor, Manager] } # Only some entities (and admins).
create:
- { access: restricted, allow: Manager } # Only managers (and admins).
update:
- access: ๐จ๐ปโ๐ป # Only admin.
delete:
- access: ๐ซ # Forbidden (no one).
Contributor ๐จโ๐ผ:
authenticable: true
properties:
- name
policies:
signup:
- access: ๐ซ # Forbidden (no one).
create:
- { access: ๐, allow: Manager } # Managers can create contributors.
update:
- { access: ๐, allow: Manager }
delete:
- { access: ๐, allow: Manager } # Managers can create contributors.
endpoints:
basicEndpoint:
path: /basic
description: A basic endpoint that returns a simple message.
method: GET
handler: basicEndpoint
policies:
- access: public # This endpoint is public.