Role and rights management for tenant-users
About REST-calls for tenant-users
- Tenant-users and JSON Web Tokens (JWTs) for tenant-users can be generated and administered by the Airlock Gateway admin only.
- Every JWT is bound to a user exclusively.
- Each tenant-user can be granted access to a set of configurational scopes of the Airlock Gateway via REST-calls.
- The scope of access rights has to be defined by the Airlock Gateway administrator via JWT.
- Advice
In extreme cases, users with extensive rights can create high loads (e.g. via adverse regex settings) similar to a DoS. High load will affect all tenant-users of the related Airlock Gateway instance!
Best practice:
- Restrict REST-call functionality to the necessary minimum (least privilege principle).
- Advice and support tenant-users not to use regular expressions that create over-proportional high loads.
Access rights
JWTs can be equipped with the 2 independent right types read and write:
Access rights | Command | Description |
|---|---|---|
read | read | Read out current values and settings of entities. |
write | create | Create new entities of a particular type. |
update | Update existing entities of a particular type (e. g. change a value/setting). | |
delete | Delete an existing entity of a particular type. |
Access rights can only be set globally for all tenant-users per Airlock Gateway instance.
Example:
- Granting write rights for Back-end groups will allow tenant-users to alter all back-end groups which belong to this tenant-user.
Saving a config file, activating a configuration and other actions of a tenant-user will automatically be logged together with the users' ID.
Assignable configuration rights
Every configuration right can be assigned exclusively to specific tenants - i. e. so that multiple tenant-users do not share the same access or configuration scope.
Currently, the following scopes can be assigned to tenant-users:
The amount of accessible configuration scopes is subject to change for future Airlock Gateway versions.