Permissions

Permissions🔐 are essential control components that define access rights to certain records or specific resources in Activator. They play a crucial role in managing data security and integrity, ensuring that only authorized users can interact with sensitive information.

 

How To Define A Permission

In Activator Admin, Permission are located within the menu container, among the items listed under 🔑Access Control. As shown at (1) on the image below.

 

✋NB:

Make sure you are in the System Components main module.

 

Permissions
Permissions

After initiating the creation of the Permission, by clicking on the +Add new button (illustrated at (2) on the image above), you’ll observe a form (illustrated at (3) on the image above) appearing on the right side with some fields

🔬After filling in the name and description fields, let's focus on the Definition and Meta Data fields.

The Meta Data field gathers and provides additional information for the component, please refer to  Meta Data for the complete list of additional information related to this component.

As for the Definition field, let's take a closer look at its Json content in the next point.

 

Definition

Note✍️ : This is where you'll be prompted to fill in various fields for the creation of a permission. These fields will be used to define specific properties for the permission.

 

{
    "resourceName": "",
    "title": "permission1",
    "abstract": "true",
    "description": "Permission to perform something",
    "titleResKey": "",
    "descResKey": ""
}

 

Json Description

Let's see how each property contributes to the definition and configuration of permission in the system.

PROPERTYREQUIREDDEFAULLT VALUEDESCRIPTION
ressourceNameNo-The name of the resource to which the permission applies.
titleYes-The title of the permission, to identify it
abstractNofalse

The abstract property in the definition of a permission plays a key role in how the permission is applied.

  • When abstract is set to true, it means the permission is general and applies to all records of the specified type, without the need to define a specific context. This grants global access to all elements of a type, for example, to all records of an entity, without any contextual restrictions.
  • Conversely, when abstract is set to false, the permission becomes specific to a particular record. In this case, the context field comes into play to specify the conditions under which the permission applies. The context helps restrict access to particular records based on specific criteria, such as access to confidential or localized data.

In summary, the abstract property determines whether a permission applies globally or contextually.

descriptionNo-A brief description of the permission, explaining what it can do.
titleResKeyNo-Resource key for title, used for translation.
descResKeyNo-Resource key for description, used for translation.

 

Granting Permission To A User

 

PROPERTYDESCRIPTION
URL

/api/tenants/{tenantId}/accesscontrol/permissions/{permissionName}/grant

  • {tenantId}: identifier of the tenant for whom you wish to grant permission.
  • {permissionName}: Enter the name of the permission you wish to grant.
METHODPOST
PAYLOAD (BODY)
{
    "identity": {
        "recordId": "string",
        "name": "string",
        "type": "string"
    },
    "resource": {
        "recordId": "string",
        "name": "string",
        "context": "string",
        "type": "string"
    }
}

The payload is a JSON object containing two main sections: identity and resource.

-identity : This section describes who you wish to grant permission to.

  • recordId: A unique identifier for the user.
  • name: The name of the user
  • type : The type of identity

-resource: This section specifies the resource for which permission is granted.

  • recordId: A unique identifier for the resource.
  • name : Resource name.
  • type:  Resource type

 

 

Note🚧: 

Currently, in Activator, the identity object's type property only supports the user type. Similarly, the type property of the resource object is limited to the EntityRecord type. 

Make sure you respect these constraints when granting permissions.

 

Remove A User's Permission

 

PROPERTYDESCRIPTION
URL

/api/tenants/{tenantId}/accesscontrol/permissions/{permissionName}/deny

  • {tenantId}: the ID of the tenant for whom you wish to withdraw permission.
  • {permissionName}: Enter the name of the permission you wish to remove.
METHODPOST
PAYLOAD (BODY)
{
    "identity": {
        "recordId": "string",
        "name": "string",
        "type": "string" // "User"
    },
    "resource": {
        "recordId": "string",
        "name": "string",
        "context": "string",
        "type": "string" //"EntityRecord"
    }
}

The payload is a JSON object containing two main sections: identity and resource.

-identity : This section describes to whom you wish to withdraw a permission.

  • recordId: A unique identifier for the user.
  • name: The name of the user
  • type : The type of identity

-resource: This section specifies the resource for which permission is being withdrawn..

  • recordId: A unique identifier for the resource.
  • name : Resource name.
  • type:  Resource type

 

 

Note🚧: 

Currently, in Activator, the identity object's type property only supports the user type. Similarly, the type property of the resource object is limited to the EntityRecord type. 

Be sure to respect these constraints when removing permissions.

 

Check If A User Has Permission

In Activator, checking whether a user has a permission can be done for both abstract and non-abstract permissions.

 

Check Non-Abstract Permission

 

PROPERTYDESCRIPTION
URL

/api/tenants/{tenantId}/accesscontrol/permissions/{permissionName}/identities/{identityId}/check

  • {tenantId}: identifier of the tenant for whom you wish to grant permission.
  • {permissionName}: Enter the name of the permission you wish to grant.
  • {identityId} : Unique identifier of the identity (such as a user or a group) for which the permission needs to be verified.
METHODPOST
PAYLOAD (BODY)
{
    "recordId": "string",
    "name": "string",
    "context": "string",
    "type": "string"
}

 

  • recordId: A unique identifier for the user.
  • name: The name of the user
  • context: Context in which the permission is applied. This specifies the specific context in which the user seeks to access the record.
  • type : The type of identity

 

Check Abstract Permission

 

PROPERTYDESCRIPTION
URL

/api/tenants/{tenantId}/accesscontrol/permissions/{permissionName}/identities/{identityId}/verify

  • {tenantId}: identifier of the tenant for whom you wish to grant permission.
  • {permissionName}: Enter the name of the permission you wish to grant.
  • {identityId} : Unique identifier of the identity (such as a user or a group) for which the permission needs to be verified.
METHODGET

Examples

Restrict a member's confidential access

Case 1

We can simply create a permission called canAccessMemberConfidentialInfo.

activatord.permissions.canAccessMemberConfidentialInfo:


{
    "resourceName": "",
    "title": "Permission to access member confidential info",
    "abstract": "true",
    "description": "Permission to access member confidential info",
    "titleResKey": "",
    "descResKey": ""
}

And when this permission is granted, the Payload will be:

{
    "identity": { //The user we want to grant the access
        "recordId": "the_user_id",
        "name": "the_user_name",
        "type": "User"
    },
    "resource": { // The resource we want to secure
        "recordId": "the_resource_id",
        "name": "the_resource_name",
        "context": "",
        "type": "EntityRecord"
    }
}

 

PROPERTYDescription
identity
  • recordId: A unique identifier for the user.
  • name: The name of the user
  • type : The type of identity
resource
  • recordId: A unique identifier for the resource.
  • name : Resource name.
  • context: It defines the conditions and limits under which a permission is granted to a user. It is the environment or framework in which the permission is applicable.
  • type:  Resource type

Case 2

Let's🚶‍♂️ assume that here we want to be much more modular and abstract in order to allow our permission to secure other categories of member data (such as location, contacts, etc.).
In this case, all we need to do is play with the context, and insert the type of data this user will be able to access.

Defining our permission

activatord.permissions.canAccessMemberInfo

Note🚦: In this case, the name is much more generic than in case 1.

 

{
    "resourceName": "",
    "title": "Permission to access member info",
    "abstract": "true",
    "description": "Permission to access member info",
    "titleResKey": "",
    "descResKey": ""
}

To remove this permission, the model will be:

{
    "identity": { //The user we want to grant the access
        "recordId": the_user_id,
        "name": the_user_name,
        "type": "User"
    },
    "resource": { // The resource we want to secure
        "recordId": the_resource_id,
        "name": the_resource_name,
        "context": "localization", // ["contact", "confidential", "all", "etc..."]
        "type": "EntityRecord"
    }
}

 

PROPERTYDescription
identity
  • recordId: A unique identifier for the user.
  • name: The name of the user
  • type : The type of identity
resource
  • recordId: A unique identifier for the resource.
  • name : Resource name.
  • context: Here we target the context in which the permission will be withdrawn.  In this way, the permission is no longer valid only in this particular context of use, but the user can still retain access to the same resource in other contexts, if he has been authorized for them.
  • type:  Resource type

 

Conclusion

The Permission🗝️ component in Activator is crucial to the secure management of resource access, enabling users' access rights to be precisely defined according to their identity, the resources concerned and the context of use. By integrating elements such as identity and resource, it offers a flexible structure that promotes granular permissions management, ensuring that only authorized people can interact with sensitive information. This approach helps protect critical data while meeting confidentiality and regulatory requirements, making the Permission component an essential tool for ensuring the security and integrity of information in Activator.

Whereas permissions define specific rights to certain resources, roles allow you to group together several permissions and assign sets of rights to users according to their responsibilities. Let's move on to the Roles component, which plays a central role in structuring and simplifying access management within the system.