Skip to main content
logoTetrate Service BridgeVersion: next

Policy Bindings

Access Policy Bindings.

Binding

A binding associates a role with a set of subjects.

Bindings are used to configure policies, where different roles can be assigned to different sets of subjects to configure a fine-grained access control to the resource protected by the policy.

FieldDescriptionValidation Rule

role

string
REQUIRED
The role that defines the permissions that will be granted to the target resource.

string = {
  min_len: 1
}

subjects

List of tetrateio.api.tsb.rbac.v2.Subject
The set of subjects that will be allowed to access the target resource with the permissions defined by the role.

Subject

Subject identifies a user or a team under an organization. Roles are assigned to subjects for specific resources in the system.

FieldDescriptionValidation Rule

user

string oneof _sub
A user in TSB, created through LDAP sync or API. Must use the fully-qualified name (fqn) of the user. E.g. organization/myorg/users/alice

team

string oneof _sub
A team in TSB, created through LDAP sync or API. Must use the fully-qualified name (fqn) of the team. E.g. organization/myorg/teams/t1

serviceAccount

string oneof _sub
A service account in TSB. Must use the fully-qualified name (fqn) of the service account. E.g. organization/myorg/serviceaccounts/sa1

RequiredPermission

RequiredPermission

Configures the sets of permissions that are required to invoke the method where this option is applied.

FieldDescriptionValidation Rule

permissions

List of tetrateio.api.tsb.rbac.v2.Permission
The required set of permissions. The full name of each permission (such as ReadApplication) will be inferred from the name of the method where this option is applied.

rawPermissions

List of string
Set of raw permission names values. Only use this if the method being protected does not follow the common naming convention and the proper name of the permission cannot be inferred just by using the Permission enum and the method name.

deferPermissionCheckToApplication

bool
When this flag is set to true, the permission checks will not be made at the API surface. This is usually needed when there is not an explicit set of permissions that can be preconfigured for the API methods, so the access control checks will be implemented at runtime by the application. The default value is 'false' and will only be taken into account if the permission properties are empty. If any permission is set, this flag will be ignored.

baseProto

string
The base proto message that the permissions are scoped at. This needs to be used with tetrateio.api.tsb.types.v2.TypeInfo.permissions_scoped_at to be able to mark a service or a method to generate scoped permissions.