Skip to main content

Authorization for On-Premise Environment

Authentication allows you to grant users and machines access to the Styra DAS; whereas Authorization allows you to control which actions those users and machines can perform on the DAS.

The DAS aims to make the common case easy and the uncommon case possible. The common case is handled by assigning users/groups/tokens to one or more roles. A role is a pre-built collection of permissions. For more granularity you can assign users to roles on a specific resource (for example, a single DAS System). For the uncommon case, you can write Rego policies to define custom roles or even custom rules that make whatever authorization decision you want.

Enable Fine-Grained Authorization (BETA)

To enable the new version of DAS product Authorization, update the following feature flags which will trigger the automation data migration and enable all new capabilities and UI pages. This can be achieved by editing the setting configmap and updating the config.json with the following entries under "features” section:

{
"tenants": {
"default": {}
},
"features": {
"AUTHZ_MAX_LOAD_DELAY": "1m",
"AUTHZ_V2_ENABLED": true,
"AUTHZ_V2_ENFORCEMENT_ENABLED": true,
"AUTHZ_ENFORCEMENT_ENABLED": false,
"AUTHZ_V2_INTERNAL_APIS_ENABLED": true,
"AUTHZ_V2_EXPANDED_ROLES_ENABLED": true
}
}

Alternatively, you can edit the Helm charts to enable the same feature flags by editing the values.yaml file and populate the templates/settings-config.tpl file:

values.yaml file:

features:
AUTHZ_MAX_LOAD_DELAY: 1m
AUTHZ_V2_ENABLED: true
AUTHZ_V2_ENFORCEMENT_ENABLED: true
AUTHZ_ENFORCEMENT_ENABLED: false
AUTHZ_V2_INTERNAL_APIS_ENABLED: true
AUTHZ_V2_EXPANDED_ROLES_ENABLED: true

templates/settings-config.tpl file:

features:
"AUTHZ_MAX_LOAD_DELAY": {{ .tenants.features.AUTHZ_MAX_LOAD_DELAY | quote }},
"AUTHZ_V2_ENABLED": {{ .tenants.features.AUTHZ_V2_ENABLED }},
"AUTHZ_V2_ENFORCEMENT_ENABLED": {{ .tenants.features.AUTHZ_V2_ENFORCEMENT_ENABLED }},
"AUTHZ_ENFORCEMENT_ENABLED": {{ .tenants.features.AUTHZ_ENFORCEMENT_ENABLED }},
"AUTHZ_V2_INTERNAL_APIS_ENABLED": {{ .tenants.features.AUTHZ_V2_INTERNAL_APIS_ENABLED }},
"AUTHZ_V2_EXPANDED_ROLES_ENABLED": {{ .tenants.features.AUTHZ_V2_EXPANDED_ROLES_ENABLED }}

This will soon trigger the automation migration from the version 1 of DAS Authorization to version 2, enabling more fine-grained controls as well as a myriad of new RBAC roles scoped to workspace, system, and stack resources. Additionally, there are new capabilities such as SSO-claims based authorization as well the ability to grant permissions to specific API tokens.

Upon successful migration, the UI will automatically render new Access Control pages which can be used for further configuration of DAS Authorization posture for the tenant. For more information on how to manage authorization, see the Authorization Management page.