Authorization specifies which actions can be performed by users, SSO providers, and API tokens.
Styra DAS makes the common case easy and the uncommon case possible. The common case assigns users, SSO providers, or tokens to one or more roles. A role is a pre-built collection of permissions. For more granularity, you can assign users roles on a specific resource (for example, a single Styra DAS System). For the uncommon case, you can write Rego policies to define custom roles or custom rules that make whatever authorization decision you want.
For example, you can write a policy for the following users:
Ruchitashould have full control of the Workspace level.
dev_team3should have full control of the System level.
Aliceshould be given read-only control for the Workspace level to see the list of violations that require a fix.
To implement that policy with the Styra DAS, you must assign the following roles:
Write a custom role called
Aliceto that role on Workspace level. You can also write a custom Rego rule that allows
Aliceto access APIs when running in the Workspace level.
When you assign roles, you can assign them to each of the different forms of authentication that the DAS supports.
User IDs: These are in the form of email addresses.
SSO provider: When a user authenticates through SSO, the SSO provider can be assigned roles.
API tokens: Each API token can be assigned roles.
When roles are assigned, a user is granted the union of the permissions of all the roles the user is assigned. For example, if a user is granted both
WorkspaceAdministrator at the Workspace level, then the user can view and administer the Workspace.