6.9 ACL, Statement
ACL and Statement definitions and definition examples are shown below. For details on ACL and Statement, see “Users and ACL”.
ACL YAML definitions are shown below.
| Label | Default value | Required | Description | |
|---|---|---|---|---|
| apiVersion: | 1.0 | Yes | API version | |
| kind: | Yes | Specify "acl" for ACL. | ||
| type: | No | Only "resource" can be specified for ACL. | ||
| name: | Yes | Internal name of the ACL definition. Specify the directory name for this YAML file. | ||
| label: | Yes | YAML file display name | ||
| description: | No | Detailed description of this YAML file | ||
| includes: | No | List the related YAML files for use in this YAML file. | ||
| - kind: | Yes | Type of YAML file to be loaded | ||
| name: | Yes | Internal name of YAML file to be loaded | ||
| statements: | Yes | Specify the names of the Statement to be linked to the ACL in list form. An example is shown below. Example: statements: - statement_name1 - statement_name2 |
||
The Statement YAML definition is as follows.
| Label | Default value | Required | Description | |||
|---|---|---|---|---|---|---|
| apiVersion: | 1.0 | Yes | API version | |||
| kind: | Yes | Specify "statement" for Statement. | ||||
| type: | No | Only "resource" can be specified for Statement. | ||||
| name: | Yes | Internal name of the Statement definition. Specify the directory name for this YAML file. | ||||
| label: | Yes | YAML file display name | ||||
| description: | No | Detailed description of this YAML file | ||||
| includes: | No | List the related YAML files for use in this YAML file. | ||||
| - kind: | Yes | Type of YAML file to be loaded | ||||
| name: | Yes | Internal name of YAML file to be loaded | ||||
| authzType: | Yes | The Statement authorization type. The following values can be used:
|
||||
| actions: | Yes | The Statement action. The values available for use depend on the authzType and resource. For the actions for each authzType, see "(Table) Actions for each authzType". Noted in list format. Used for uri type |
||||
| action: | Yes | The Statement action. The values available for use depend on the authzType and resource. For the actions for each authzType, see "(Table) Actions for each authzType". Used for document type and object type. | ||||
| resources: | Yes | Resources. Noted in a list and can be used with all authzTypes. | ||||
| - format: | wildcard | No | Value format. The following can be used:
|
|||
| value: | Yes | A value to identify resources. Specify the resource matching the authzType. Depending on the format, wildcards and regular expressions can be used. For authzType: document value: kind name:Document name:Path of the document key-value For authzType: uri value: https://Ops I host name/target Path For authzType: object value: /api/v1/API See the API reference for values that can be specified in API. |
||||
| graphqlQuery: | No | The GraphQL query name. Specify the query name specified when the Value API is GraphQL. | ||||
| format: | wildcard | No | Value format. The following can be used:
|
|||
| Value: | Yes | A value to identify the GraphQL query name. Depending on the format, wildcards and regular expressions can be used. | ||||
| effect: | allow | Yes | Effect of the Statement. The following can be used:
|
|||
| conditions: | No | "conditions" indicates the authorization conditions. Multiple conditions can be noted, and the first level of the list represents OR. The second level can contain multiple conditions as AND. This field can be used in the following authzTypes.
|
||||
| - | No | |||||
| - operator: | Yes | Operator. The following can be used:
|
||||
| firstOperand: | Yes | The first operand. The value or context must be specified. For the contexts that can be used, see "(Table) Contexts available for use". Values available for use with context differ depending on the object. There are two types of objects: "New", which is newly created, and "Recorded", which is an existing object on Ops I. The value of the "New" record to be evaluated is noted as "New.Object.*" while the value of the Recorded record is noted as "Recorded.Object.*". Example:{{ .GetValue ".New.Object.createBy" }} The first operand supports the following formats.
|
||||
| secondOperand: | Yes | The second operand. "firstOperand" and "operator" must be specified. The value or context must be specified. For the contexts that can be used, see "(Table) Contexts available for use". Values available for use by context differ depending on the object. There are two types of objects: "New", which is newly created, and "Recorded", which is an existing object on Ops I. The value of the "New" record to be evaluated is noted as "New.Object.*" while the value of the Recorded record is noted as "Recorded.Object.*". Example:{{ .GetValue ".New.Object.createBy" }} The second operand supports the following formats.
|
||||
| fields: | No | List of fields to be evaluated. Can be used for the following authzTypes.
|
||||
| - format: | wildcard | No | Value format. The following can be used:
|
|||
| value: | Yes | A value to identify resources. Specify the resource matching the authzType. Depending on the format, wildcards and regular expressions can be used. | ||||
(Table) Actions for each authzType
| authzType | ActionValue | Description |
|---|---|---|
| uri | GET | GET request |
| uri | POST | POST request |
| uri | PUT | PUT request |
| uri | DELETE | DELETE request |
| uri | PATCH | PATCH request |
| uri | Other | Cannot be specified. Other HTTP methods are permitted as a default behavior. |
| document | read | Displays application or UI elements (tabs, components). |
| object | read | Authorize "read" by a user. |
| object | create | Authorize "create" by a user. |
| object | update | Authorize "update" by a user. |
| object | delete | Authorize "delete" by a user. |
(Table) Contexts available for use
| Context | Description |
|---|---|
| {{ .GetValue ".Requester.Id" }} | ID of the requesting user |
| {{ .GetValue ".Requester.Name" }} | Name of the requesting user |
| {{ .GetValue ".Requester.DisplayName" }} | Requesting user display name |
| {{ .GetValue ".Requester.GroupNames" }} | Name of the user's group Returned in list format. |
| {{ .GetValue ".Requester.GroupIds" }} | ID of the user's group Returned in list format. |
| {{ .GetValue ".Requester.RoleNames" }} | Name of the user's role Returned in list format. |
| {{ .GetValue ".Requester.RoleIds" }} | ID of the user's role Returned in list format. |
| {{ .GetValue ".Requester.CustomerName" }} | Customer name of the requesting user (including customer information if the user is a customer user) |
| {{ .GetValue ".Requester.CustomerId" }} | Customer ID of the requesting user (including customer information if the user is a customer user) |
| {{ .GetValue ".New.Object.<FIELD>" }} | New request from requester for evaluation |
| {{ .GetValue ".Recorded.Object.<FIELD>" }} | Record registered with Ops I for evaluation |
| {{ .GetValue ".Recorded.Object" | .GetCustomer }} {{ .GetValue ".New.Object" | .GetCustomer }} |
GetCustomer retrieves the name of the customer associated with the object that was input. The following objects can be used.
|
<Definition example> ACL
apiVersion: 1.0
kind: acl
## Meta data
type: resource
name: acl_infra_default
label: acl_infra_default
description: |
This is an acl_infra_default acl.
You can action elements that are specified in statement.
But you cannot action elements that are not specified in statement.
## Dependencies
includes:
- kind: statement
name: statement_document_application_management_allow_default
# ACL DATA
statements:
- statement_document_application_management_allow_default
<Definition example> Statement
apiVersion: 1.0
kind: statement
## Meta data
type: resource
name: user_workspace_statement
label: user_workspace
description: workspace hidden
authzType: document
action: read
resources:
- format: wildcard
value: application:sys_task:tabs\[0\].**
effect: deny # added