Entitlements System Concepts
This section describes the concepts used in the Entitlements System type.
System
An Entitlements System represents a logical unit (an application) that performs authorization.
Stack
A Stack represents policies that are enforced across a set of Systems. For example, one Stack could define the global policies for an organization while another defines the policies required for production Systems. Stacks may also be used to enforce compliance regulations across a set of Systems. For example, the IAM team may own a Stack and use that to grant access to resources based on organization-wide IAM permissions. To integrate with a Styra DAS Entitlement System, applications must be updated to make authorization requests to OPA when subjects perform actions.
Requests
A Request asks if a subject can perform an operation and may optionally return a set of Entitlements. By default, an Entitlements System supports three input fields: action, resource, and subject. Values for these three fields should be strings, for example:
{
"action": "GET",
"resource": "/v1/systems/prod-cluster",
"subject": "alice@styra.com"
}
The action
specifies the type of access being performed, for example, this may be an HTTP verb like GET
or a higher-level action like read
. The resource
is the identifier of the object being accessed. This can be an HTTP path like /v1/systems/prod-cluster
or a higher-level resource like System.Configuration
. The subject
is the id of the user or service account performing the request.
An optional input field that may be used in some policies is the context
field, for example:
{
"action": "GET",
"resource": "/v1/systems/prod-cluster",
"subject": "alice@styra.com",
"context": {
"location": "Wonderland"
}
}
Additionally, Entitlements Systems can be extended to support any arbitrary input field. Entitlement Systems are also compatible with applications that call into existing authorization systems. To integrate with such applications, you implement a transformation policy that re-writes the existing input schema to the schema described above.