Policies explained

Custom policies have a simple semantics behind them: Policy gives permission to a set of subjects to perform certain actions on a set of give resources.

More precisely each policy consist of:

  • Description -- a brief explanation of a policy, that will be displayed in overview for developer convinience
  • Subjects -- set of API keys, that are being affected by this policy.
  • Resources -- set of Resources, to which access is being granted. Currently only type of supported resources are datasets
  • Actions -- set of operations, that Subjects will be able to perform on Resources

Actions

There are four possible actions:

  • Read -- gives permission to read all data in given resource. For REST on datasets it's equivalent to permission to perform GET requests
  • Create -- gives permission to generate new data in given resource. For REST on datasets it's equivalent to permission to perform POST requests
  • Update -- gives permission to update data in given resource. For REST on datasets it's equivalent to permission to perform PUT requests
  • Delete -- gives permission to delete data from give resource. For REST on datasets it's equivalent to permission to perform DELETE requests

Note: when performing Post/Update/Delete actions through rest, affected records are returned as a result. To be able to successfully perform those actions authorized API keys should have sufficient access to read returned data. Therefore, when granting subject permissions to perform those actions, it's advised to grant it Read permission as well.

Example

Assume you have two datasets ds1, ds2. and two api-key apikey1 and apikey2. You want for apikey1 to be able to only to read data in ds1 and for apikey2 to append (without updating) data to that dataset. You also want both API keys to have full access to ds2. There are several ways to do it, here simplest one of them:

Policy 1:

Description: "Policy that gives apikey1 access to ds1"
Subjects: ["apikey1"]
Resources: ["ds1"]
Actions: ["read"]

Policy 2:

Description: "Policy that gives apikey2 access to ds1"
Subjects: ["apikey2"]
Resources: ["ds1"]
Actions: ["read", "create"]

Policy 3:

Description: "Policy that gives apikey1, apikey2 access to ds2"
Subjects: ["apikey1", "apikey2"]
Resources: ["ds2"]
Actions: ["read", "create", "update", "delete]