Role-based Access Controls
Vendia Share provides comprehensive role-based access controls (RBAC) to enable administrators to control the actions users are permitted to take and the resources on which they can operate.
Vendia's RBAC system is designed to be both simple to use and highly secure. It enables system administrators to easily limit who can access their corporate data and code, constrain employee and business partner activities, and secure critical systems from accidental mishandling. Developers using Vendia Share's free tier, however, can largely ignore RBAC while learning the system, because default role permissions and automatic permission boundary management automates away most of the need for explicit permissions management in typical usage scenarios.
Scope of RBAC
RBAC modulates the interaction between Vendia Share users and Vendia Share APIs and resources. RBAC may be used to determine whether a Vendia Share user is permitted to access the data in a Uni. In addition, each Uni node possesses its own user identity and authorization mechanisms, which are outside the scope of RBAC.
Key Terms
-
Actions: Actions express the right to call one or more Vendia Share APIs. For example,
USER_GET
expresses the right to call thegetUser
GraphQL query in the Vendia Share API. For convenience, actions such asUSER_ALL
andUNI_ALL
may be used to convey, "all user-related APIs" and "all Uni-related APIs", respectively. -
Capabilities: A capability is a mapping from actions to sets of resources. For example, the default role for a user includes capabilities to create unis in the default Uni namespace and perform operations on unis in which the caller has at least one node.
-
Default Role: Each Vendia user is assigned a default role, which will be used to determine their capabilities for any API call not provided with an explicit role.
-
Resources: Resources determine the object(s) to which an action can be applied. (There may be more than one resource listed per action.) For example, an action such as
UNI_GET
might have two resources,test1.unis.vendia.net
andtest2.unis.vendia.net
, permitting the owner of that role to access information about either thetest1
or thetest2
uni. -
Roles: Roles are named sets of capabilities. When a call is made to any Vendia Share API, the caller's role is used to determine if the action is legal, i.e. whether the caller is authorized to perform it. A role can be provided explicitly; if no role is provided, the caller's default role will be used instead.
Actions
User Actions
Vendia Share supports the following actions on user accounts:
USER_GET
: Permits calling getUser to retrieve user account details.USER_GET
also determines which users are included when listing users.USER_CREATE
: Permits calling createUser, allowing the owner to make new accounts on the Vendia Share system.USER_DELETE
: Permits calling deleteUser, allowing the owner to remove existing accounts from the Vendia Share system.USER_SET_EMAIL
: Permits calling setUserEmail.USER_SET_ROLE
: Permits calling setUserRole, allowing the caller to assign new roles or replace existing roles for themselves or other users.USER_DELETE_ROLE
: Permits calling deleteUserRole, allowing the caller to remove roles from themselves or other users.USER_INVITE
: Permits the owner to invite users to join an existing Uni. Note that inviting a new node to join an existing uni requires two types of permission:- The right to call invite for the uni in question
- The right to invite the user (owner) of the new node.
USER_ALL
: Convenience setting - permits all of the user actions listed above.
Apart from USER_INVITE
, user actions are typically reserved for administrators.
To comply with GDPR, CCPA, and similar regulations, every user on the Vendia
system is automatically granted USER_GET
and USER_SET_EMAIL
for themselves; these rights cannot be removed.
Uni Actions
Vendia Share supports the following actions on Unis:
UNI_GET
: Permits calling getUni to retrieve user account details.UNI_GET
also determines which unis are included when listing unis.UNI_CREATE
: Permits callingregister
to create new unis.UNI_DELETE
: Permits callingdestroy
to delete existing unis.UNI_RESET
: Permits callingreset
on an existing uni to reset it to its state immediately after initial deployment.UNI_JOIN
: Permits callingjoin
to create a new node in an existing uni.UNI_INVITE
: Permits callinginvite
on an existing uni. Note that inviting a new node to join an existing uni requires two types of permission: the right to call invite for the uni in question and the right to invite the user (owner) of the new node.UNI_DELETE_NODE
: Permits callingleave
on an existing uni. (Normally this is performed by the owner of the node, but RBAC can express the right to remove nodes owned by others.)UNI_MUTATE
: Grants access to update the Uni's settingsUNI_EVOLVE_SCHEMA
: Permits updating the Uni's schemaUNI_ALL
: Convenience setting - permits all of the uni actions listed above.
Organization Actions
Vendia Share supports the following actions on Organizations:
ORG_GET
: Permits fetching an organizationORG_LIST_USERS
: Permits retrieving all of the users in the organization and their rolesORG_ALL
: Convenience setting - permits all of the org actions listed above
Data Actions
Vendia Share supports the following actions for data stored with a Node
DATA_READ
: Permits reading the data in a Node (eg. executing queries/subscriptions)DATA_ALL
: Permits read/writing/admin access on data in a Node (eg. executing all queries and mutations)
Resource Formats
Name Resources
Vendia Share users are identified by the current email address associated with their Vendia account. '*' may be used as a wildcard, or to indicate that no subdomain is required. Examples:
mary@acme.com
: user Mary in theacme.com
domain*@acme.com
: any user in theacme.com
domain*@*.acme.com
: same as the above*@sub.acme.com
: any user in thesub
subdomain ofacme.com
.
All user commands (getuser, userSetEmail, etc.) require resources using name formats.
JSON Example:
{
"action": "USER_ALL",
"resources": ["NameResource(*@acme.com)"] // Access to all users with the acme.com domain
}
Uni Resources
Uni commands can take one of several forms:
-
Name Format: using a name format where a uni resource is expected has the meaning of "this user is an owner of at least one node in the Uni"
-
<UNI_NAME>.<SUBDOMAIN>.<DOMAIN>.<EXT>
: the Uni's fully qualified name; '*' may be used as a wildcard for any portion of the name. -
<UNI_NAME>.<SUBDOMAIN>.<DOMAIN>.<EXT>#<NODE_NAME>
: a specific node in a Uni -
mary@acme.com
: any Uni wheremary@acme.com
owns at least one node -
test.unis.acme.com
: a Uni namedtest
in the namespace operated byacme.com
in the subdomainunis
. -
foo.*.acme.com#bar
: the nodebar
in the unifoo
in the namespace owned byAcme.com
. The subdomain may be present or absent; either way it is ignored. -
*.acme.com
: every uni in the namespace owned byAcme.com
.
JSON Example:
{
"action": "UNI_GET",
"resources": [
"NameResource(mary@acme.com)", // Access to all Unis where mary@acme.com is the owner
"UniResource(*.unis.acme.com)", // Access to all Unis in the unis.acme.com namespace
"UniResource(my-uni.unis.foo.com)", // Specific access to my-uni.unis.foo.com
"UniResourc(another-uni.unis.bar.com#NodeOne)" // Very specific access to a single Node in the Uni another-uni.unis.bar.com
]
}
Data Access
Data access requires the Vendia Resource path style:
<ORGANIZATION_ID>/<UNI_NAME>/<NODE_NAME>
: This includes the unique organization ID, the Uni's fully qualified name, and the Node name. The wildcard/*
may be used in any portion of the name.
JSON Example:
// Acme's organization ID is 730c2b51-7a7a-42a2-a192-8bef734a95a1
// Foo's organization ID is 2fa4bc9d-7d62-4ad6-8d07-4b021bce762b
{
"action": "DATA_READ",
"resources": [
"VendiaResource(730c2b51-7a7a-42a2-a192-8bef734a95a1/my-uni.unis.acme.com/*)", // Access to all Nodes owned by Acme in the my-uni.acme.com Uni
"VendiaResource(730c2b51-7a7a-42a2-a192-8bef734a95a1/another-uni.unis.acme.com/NodeOne)" // Access to only NodeOne in the another-uni.acme.com Uni
"VendiaResource(2fa4bc9d-7d62-4ad6-8d07-4b021bce762b/*)" // Access to all Nodes owned by Foo in all of Foo's Unis
]
}
Permission Boundaries
Vendia Share's RBAC system includes a built-in permission boundary
feature that prevents escalation of privileges. Permission boundaries
impact administrative features, such as USER_SET_ROLE
. Without a
permission boundary, users would be allowed to escalate their privileges.
To prevent this from happening, the effect of calling setUserRole
is required to be a subset of the role of the caller. In other
words, users cannot create or alter roles to be more powerful than
themselves. As an example, an administrator with
UNI_ALL
: *.*.acme.com
rights would be allowed to
grant UNI_GET
: test1.*.acme.com
to another user (or themselves),
but could not grant UNI_GET
: test1.*.other_domain.com
to any user.
Permission boundaries are enforced automatically - no user action is required.
Assigning permissions in the Share UI
An organization administrator with the appropriate permissions may modify other users' roles in the Share UI by navigating to My Organization > Members > Select Member. The admin user may select from a list of pre-defined roles to assign to the user.
Assigning permission in the Share CLI
Using the Share CLI, an organization administrator with the appropriate permission may assign a user a custom role. For more information, visit the CLI documentation
policy.json
{
"name": "default",
"capabilities": [
{
"action": "ORG_GET",
"resources": [
"OrganizationResource(730c2b51-7a7a-42a2-a192-8bef734a95a1)"
]
},
{
"action": "ORG_LIST_USERS",
"resources": [
"OrganizationResource(730c2b51-7a7a-42a2-a192-8bef734a95a1)"
]
},
{
"action": "UNI_JOIN",
"resources": ["UniResource(*.unis.acme.com#*)"]
},
{
"action": "UNI_CREATE",
"resources": ["UniResource(*.unis.acme.com#*)"]
},
{
"action": "UNI_GET",
"resources": [
"NameResource(test@*.acme.com)",
"UniResource(*.unis.acme.com#*)"
]
},
{
"action": "UNI_MUTATE",
"resources": ["NameResource(test@*.acme.com)"]
},
{
"action": "UNI_EVOLVE_SCHEMA",
"resources": ["NameResource(test@*.acme.com)"]
},
{
"action": "UNI_INVITE",
"resources": ["NameResource(test@*.acme.com)"]
},
{
"action": "UNI_RESET",
"resources": ["NameResource(test@*.acme.com)"]
},
{
"action": "UNI_DELETE",
"resources": ["NameResource(test@*.acme.com)"]
},
{
"action": "UNI_DELETE_NODE",
"resources": ["NameResource(test@*.acme.com)"]
},
{
"action": "USER_INVITE",
"resources": ["NameResource(*@*.*.*)"]
}
]
}
share auth role set ./policy.json --user test@acme.com
Types of Users and Default Roles
Often, Vendia Share users are referred to as "normal" or
"administrator" depending on their privileges. However, the
privileges of individual users may vary from company to company
and even among accounts. For instance, an administrator for acme.com
may decide that its users should not be permitted to call
destroy
or reset
, because these actions potentially cause loss
of data. Other companies may grant their users both privileges, or
grant it only for unis in a development subdomain but not in the
production subdomain.
Default users operating in the Vendia Share free tier have access to
only the default namespace, *.unis.vendia.com
. Up to the
available (per-user) limits, they can create new Unis and nodes in this
namespace and have access to call any API on the Unis in which they own at least
one node. Free tier users do not possess any user privileges except for the "built-in" right to view and update their own user account information and invite other free tier users to join their Unis.
The privileges of a default user operating under an enterprise
agreement varies depending on the setup requested by the company's
Vendia account administrator. The initial user account created for enterprise
agreements is typically an administrator account, with full permission to
create new users and roles in one or more corporate-owned namespaces. For more
information on enterprise configuration, contact Vendia sales or
email support@vendia.net
.