Link Search Menu Expand Document

Resource API Structure

Define current backend API in new resource + privilege framework.

The definition is an array of objects. Each object contains:

  • name: the name of the rule
  • module: the name of the module the rule is a member of.
  • description: a string that provides human insight into the action and reason of the rule.
  • resources: the resource the rule uses and the access privilege to the resource
    • resource: the data source where the information resides.
    • privileges: rights the rule has to access and use the resource.

The following is an example of the access configuration.

[
     {
       "name":"collector_create", 
       "module":"main", 
       "description":"create new collector",
       "resources":[{"resource":"collector","privileges":["create"]}]
     },
     {
       "name":"collector_list", 
       "module":"main", 
       "description":"list all collectors",
       "resources":[{"resource":"collector","privileges":["read"]}]
     },
     {
       "name":"collector_delete", 
       "module":"main", 
       "description":"delete collector",
       "resources":[{"resource":"collector","privileges":["delete"]}]
     },
     {
       "name":"create_artifact_filter", 
       "module":"main", 
       "description":"create artifact filter",
       "resources":[{"resource":"artifact_filter","privileges":["create"]}]
     },
     {
       "name":"create_multiple_artifact_filter", 
       "module":"main", 
       "description":"create multiple artifact filters",
       "resources":[{"resource":"artifact_filter","privileges":["create"]}]
     },
     {
       "name":"delete_multiple_filters", 
       "module":"main", 
       "description":"delete multiple artifact filters",
       "resources":[{"resource":"artifact_filter","privileges":["delete"]}]
     },
     {
       "name":"filter_search", 
       "module":"main", 
       "description":"search artifact filters",
       "resources":[{"resource":"artifact_filter","privileges":["read"]}]
     },
     {
       "name":"audit_search", 
       "module":"main", 
       "description":"search audit events",
       "resources":[{"resource":"audit","privileges":["read"]}]
     }
]

There will be two initial roles, “admin” and “analyst,” to replace the existing access rights.

This works for API control. Another part is data policy, which covers stream, document and field level access control.