Styra DAS Entitlements System Object Model
Entitlement Systems have predefined policy snippets that work over an opinionated object model. To use these snippets, import your data in a way that conforms to the Entitlements model.
To help get your data into Styra DAS in the Entitlements object model, Styra provides pre-built transformation policies for many data sources, such as LDAP, AD, SCIM, OpenAPI v2, and OpenAPI v3.
The Styra DAS Entitlements object model is designed to be flexible: both RBAC and ABAC are supported simultaneously, and almost any structured data can be used as additional context for authorization decisions. It is not required for you to populate the object model in its entirety, but it is required to populate the portion of it required by the pre-built rules that you intend to use.
In implementation, you can populate that object model by writing Rego code that lives in the folder object
(and has the Rego package object
and therefore referenced as data.object
). You must assign the following variables to the correct values based on the data sources you have configured.
- users: The person (or program) which is attempting to perform the action.
- service accounts: The machines that take actions.
- actions: The changes that users and service accounts can make.
- resources: The resources that users and service accounts can act on.
- roles: The assignment of users and service accounts to roles.
- role bindings: The assignment of roles to the permissions they are granted.
- groups: The assignment of users and service accounts to group names.
- group bindings: The assignment of groups to the permissions they are granted.