Role and rights management for tenant-users

About REST-calls for tenant-users

  • Tenant-users and JSON Web Tokens (JWTs) for tenant-users can be generated and administered by the Airlock Gateway admin only.
  • Every JWT is bound to a user exclusively.
  • Each tenant-user can be granted access to a set of configurational scopes of the Airlock Gateway via REST-calls.
  • The scope of access rights has to be defined by the Airlock Gateway administrator via JWT.

    • In extreme cases, users with extensive rights can create high loads (e.g. via adverse regex settings) similar to a DoS. High load will affect all tenant-users of the related Airlock Gateway instance!

    • Best practice:
    • Restrict REST-call functionality to the necessary minimum (least privilege principle).
    • Advice and support tenant-users not to use regular expressions that create over-proportional high loads.

Access rights

JWTs can be equipped with the 2 independent right types read and write:

Access rights

Command

Description

read

read

Read out current values and settings of entities.

write

create

Create new entities of a particular type.

update

Update existing entities of a particular type (e. g. change a value/setting).

delete

Delete an existing entity of a particular type.

Access rights can only be set globally for all tenant-users per Airlock Gateway instance.

  • Example:
  • Granting write rights for Back-end groups will allow tenant-users to alter all back-end groups which belong to this tenant-user.

Saving a config file, activating a configuration and other actions of a tenant-user will automatically be logged together with the users' ID.

Assignable configuration rights

Every configuration right can be assigned exclusively to specific tenants - i. e. so that multiple tenant-users do not share the same access or configuration scope.

The amount of accessible configuration scopes is subject to change for future Airlock Gateway versions.