Skip to content

Resource Access Policies

We provide the possibility to specify policies to define who can create/read/update/delete resources. They are executed when requests are sent from the frontend to the Authorization Service API.

Functions available to the scripts

  • IsResourceOwner($identity, $resource): returns true if $identity is the owner of $resource.
  • Authorized([string] $Reason): authorizes an action with the given $Reason (creates an object that will be later converted to a PolicyCheckResult).
  • Denied([string] $Reason): denies an action with the given $Reason.
  • ApprovalRequired([string] $Approver, [string] $Reason, [switch] $Role, [switch] $Group, [switch] $Identity): the action will need approval from the given $Approver for the given $Reason. Use one of the $Role, $Group or $Identity switches to specify which kind of object the approver is (see examples below).

Identities wrappers

Identity parameters are passed as identity wrappers, which expose all identity extended properties directly, so that for example you can write $caller.FirstName instead of $caller.Properties["firstName"]. These wrappers also expose these methods: - IsMemberOf(string groupName): returns true if the identity is member of the group with given name (case insensitive, including recursive group memberships). - IsInRole($roleName): returns true if the identity is in the role with the given name (case insensitive). Only valid for roles related to the application linked by the policy.

Script Methods

Scripts must not contain direct statements, but only functions. Each script can define the following methods (along with all the functions needed by the script itself).

Can-Read

Signature: Can-Read($caller, $target) Parameters:

  • $caller: identity wrapper.
  • $target: wrapper of the target resource.

Can-ReadAll

Signature: Can-ReadAll($caller) Parameters:

  • $caller: identity wrapper.

Can-Create

Signature: Can-Create($caller, $target) Parameters:

  • $caller: identity wrapper.
  • $target: wrapper of the target resource.

Can-Update

Signature: Can-Update($caller, $current, $updated) Parameters:

  • $caller: identity wrapper.
  • $current: wrapper of the current resource.
  • $updated: wrapper of the updated resource.

Important: when this function is called, the validity of owner changes has already been

Can-Delete

Signature: Can-Delete($caller, $target) Parameters:

  • $caller: identity wrapper.
  • $target: wrapper of the target resource.

Can-Own (ManagedResource policies only)

Signature: Can-Own($caller, $target) Parameters:

  • $caller: identity wrapper.
  • $target: wrapper of the target resource.

Example

# We can define utility functions that are not policy related. To differentiate them, we can follow a different naming
# convention and void dashes in their names.
function IsAdmin($identity) {
    $identity.IsInRole("bogus-admin") -or $identity.IsMemberOf("some-strange-group")
}

# These are the policy functions
function Can-Update($caller, $current, $updated) {
    if (IsAdmin $caller) {
        Authorize "Bogus Admin"
        # Note that the return statement in Powershell does not return a value
        return
    }
    if (-not $caller.IsInRole("bogus-users")) {
        Denied "not a Bogus User"
        return
    }
    # this will take all the identities in the bogus-admin role and ask them for approval
    ApprovalRequired -Role "bogus-admin"
}