Security Model

The platform provides the ability to assign security policies and Role-based Access Control (RBAC). Policies can be applied to individual classes, attributes, and API endpoints. A policy restricts groups and/or roles to specific actions. For example, let's assign a policy "APIAccess" to the following external service.

{
  "name" : "svc1",
  "props" : {
    "grant_type" : "password",
    "oauthUrl" : "https://url",
    "client_id" : "d3-api",
    "client_secret" : "****",
    "username" : "****",
    "password" : "****"
  },
  "type" : "externalService",
  "useOAuth" : true,
  "docUrl" : "/_model/api-service/app2/svc1",
  "routeSpecs" : [
    {
      "path" : "/svc/app2/svc1/api/companies",
      "location" : "https://url",
      "secure" : true,
      "securityPolicies" : "APIAccess"
    },
    {
      "path" : "/svc/app2/svc1/api/overview",
      "location" : "https://url",
      "secure" : true
    }
  ],
  "useHttps" : true
}

From the above example, notice that this policy is only assigned to an API ending with "/companies". The other API endpoint does not enforce a security policy. The policy "APIAccess" is defined as below which allows users of "Admin" role or "OperationDept" group, perform "Read,Write" actions.

{
  "name" : "APIAccess",
  "displayName" : "API Access Policy ",
  "roles" : "Admin",
  "roleGroupOperator" : "or",
  "groups" : "OperationDept",
  "actions" : "Read,Write"
}