Skip to main content

Authorization for On-Premises Environment

Authentication allows you to grant users and machines access to the Styra DAS. Authorization allows you to control which actions those users and machines can perform is Styra DAS.

Styra DAS aims to make the common case easy and the uncommon case possible. The common case is handled by assigning users/groups/tokens to one or more roles. A role is a pre-built collection of permissions. For more granularity you can assign users to roles on a specific resource (for example, a single DAS System). For the uncommon case, you can write Rego policies to define custom roles or even custom rules that make whatever authorization decision you want.

Enable Fine-Grained Authorization

To enable the new version Styra DAS Authorization, update the following feature flags which will trigger the automation data migration and enable all new capabilities and Styra DAS UI pages. This can be achieved by editing the setting configmap and updating the config.json with the following entries under "features” section:

{
    "tenants": {
        "default": {}
    },
    "features": {
        "AUTHZ_MAX_LOAD_DELAY": "1m",
        "AUTHZ_V2_ENABLED": true,
        "AUTHZ_V2_ENFORCEMENT_ENABLED": true,
        "AUTHZ_ENFORCEMENT_ENABLED": false,
        "AUTHZ_V2_EXPANDED_ROLES_ENABLED": true
    }
}

Alternatively, you can edit the Helm charts to enable the same feature flags by editing the values.yaml file and populate the templates/settings-config.tpl file:

values.yaml file:

features:
  AUTHZ_MAX_LOAD_DELAY: 1m
  AUTHZ_V2_ENABLED: true
  AUTHZ_V2_ENFORCEMENT_ENABLED: true
  AUTHZ_ENFORCEMENT_ENABLED: false
  AUTHZ_V2_EXPANDED_ROLES_ENABLED: true

templates/settings-config.tpl file:

features:
  "AUTHZ_MAX_LOAD_DELAY": {{ .tenants.features.AUTHZ_MAX_LOAD_DELAY | quote }},
  "AUTHZ_V2_ENABLED": {{ .tenants.features.AUTHZ_V2_ENABLED }},
  "AUTHZ_V2_ENFORCEMENT_ENABLED": {{ .tenants.features.AUTHZ_V2_ENFORCEMENT_ENABLED }},
  "AUTHZ_ENFORCEMENT_ENABLED": {{ .tenants.features.AUTHZ_ENFORCEMENT_ENABLED }},
  "AUTHZ_V2_EXPANDED_ROLES_ENABLED": {{ .tenants.features.AUTHZ_V2_EXPANDED_ROLES_ENABLED }}

This will soon trigger the automation migration from the version 1 of Styra DAS Authorization to version 2, enabling more fine-grained controls as well as a myriad of new RBAC roles scoped to workspace, system, and stack resources. Additionally, there are new capabilities such as SSO-claims based authorization as well the ability to grant permissions to specific API tokens.

Upon successful migration, the Styra DAS UI will automatically render new Access Control pages which can be used for further configuration of Styra DAS Authorization posture for the tenant. For more information on how to manage authorization, see the Authorization Management page.