Overview
Authorization specifies which actions can be performed by users, SSO providers, and API tokens.
Styra DAS makes the common case easy and the uncommon case possible. The common case assigns users, SSO providers, or tokens to one or more roles. A role is a pre-built collection of permissions. For more granularity, you can assign users roles on a specific resource (for example, a single Styra DAS System). For the uncommon case, you can write Rego policies to define custom roles or custom rules that make whatever authorization decision you want.
For example, you can write a policy for the following users:
Ruchita
should have full control of the Workspace level.dev_team3
should have full control of the System level.Alice
should be given read-only control for the Workspace level to see the list of violations that require a fix.
To implement that policy with the Styra DAS, you must assign the following roles:
Assign
Ruchita
to theWorkspaceAdministrator
role.Assign
dev_team3
to theSystemOwner
role.Write a custom role called
WorkspaceViewer
and assignAlice
to that role on Workspace level. You can also write a custom Rego rule that allowsAlice
to access APIs when running in the Workspace level.
When you assign roles, you can assign them to each of the different forms of authentication that the DAS supports.
User IDs: These are in the form of email addresses.
SSO provider: When a user authenticates through SSO, the SSO provider can be assigned roles.
API tokens: Each API token can be assigned roles.
When roles are assigned, a user is granted the union of the permissions of all the roles the user is assigned. For example, if a user is granted both WorkspaceViewer
and WorkspaceAdministrator
at the Workspace level, then the user can view and administer the Workspace.