Access Policy Bindings.
A binding associates a role with a set of subjects.
Bindings are used to configure policies, where different roles can be
assigned to different sets of subjects to configure a fine-grained access
control to the resource protected by the policy.
Field | Description | Validation Rule |
---|
role | string REQUIRED The role that defines the permissions that will be granted to the target
resource. | string = { min_len: 1 }
|
subjects | List of tetrateio.api.tsb.rbac.v2.Subject The set of subjects that will be allowed to access the target resource
with the permissions defined by the role. | – |
Subject identifies a user or a team under an organization. Roles are
assigned to subjects for specific resources in the system.
Field | Description | Validation Rule |
---|
user | string oneof _sub A user in TSB, created through LDAP sync or API.
Must use the fully-qualified name (fqn) of the user.
E.g. organization/myorg/users/alice | – |
team | string oneof _sub A team in TSB, created through LDAP sync or API.
Must use the fully-qualified name (fqn) of the team.
E.g. organization/myorg/teams/t1 | – |
serviceAccount | string oneof _sub A service account in TSB.
Must use the fully-qualified name (fqn) of the service account.
E.g. organization/myorg/serviceaccounts/sa1 | – |
RequiredPermission
Configures the sets of permissions that are required to invoke the method where this option is
applied.
Field | Description | Validation Rule |
---|
permissions | List of tetrateio.api.tsb.rbac.v2.Permission The required set of permissions. The full name of each permission (such as ReadApplication)
will be inferred from the name of the method where this option is applied. | – |
rawPermissions | List of string Set of raw permission names values. Only use this if the method being protected does not follow
the common naming convention and the proper name of the permission cannot be inferred just by
using the Permission enum and the method name. | – |
deferPermissionCheckToApplication | bool When this flag is set to true, the permission checks will not be made at the API surface.
This is usually needed when there is not an explicit set of permissions that can be
preconfigured for the API methods, so the access control checks will be implemented at runtime
by the application.
The default value is 'false' and will only be taken into account if the permission properties
are empty. If any permission is set, this flag will be ignored. | – |
baseProto | string The base proto message that the permissions are scoped at.
This needs to be used with tetrateio.api.tsb.types.v2.TypeInfo.permissions_scoped_at to be able to
mark a service or a method to generate scoped permissions. | – |