Skip to main content
logoTetrate Service BridgeVersion: 1.10.x

Policy Bindings

Access Policy Bindings.


A binding associates a role with a set of subjects.

Bindings are used to configure policies, where different roles can be assigned to different sets of subjects to configure a fine-grained access control to the resource protected by the policy.

FieldDescriptionValidation Rule


The role that defines the permissions that will be granted to the target resource.

string = {
  min_len: 1


List of tetrateio.api.tsb.rbac.v2.Subject
The set of subjects that will be allowed to access the target resource with the permissions defined by the role.


Subject identifies a user or a team under an organization. Roles are assigned to subjects for specific resources in the system.

FieldDescriptionValidation Rule


string oneof _sub
A user in TSB, created through LDAP sync or API. Must use the fully-qualified name (fqn) of the user. E.g. organization/myorg/users/alice


string oneof _sub
A team in TSB, created through LDAP sync or API. Must use the fully-qualified name (fqn) of the team. E.g. organization/myorg/teams/t1


string oneof _sub
A service account in TSB. Must use the fully-qualified name (fqn) of the service account. E.g. organization/myorg/serviceaccounts/sa1



Configures the sets of permissions that are required to invoke the method where this option is applied.

FieldDescriptionValidation Rule


List of tetrateio.api.tsb.rbac.v2.Permission
The required set of permissions. The full name of each permission (such as ReadApplication) will be inferred from the name of the method where this option is applied.


List of string
Set of raw permission names values. Only use this if the method being protected does not follow the common naming convention and the proper name of the permission cannot be inferred just by using the Permission enum and the method name.


When this flag is set to true, the permission checks will not be made at the API surface. This is usually needed when there is not an explicit set of permissions that can be preconfigured for the API methods, so the access control checks will be implemented at runtime by the application. The default value is 'false' and will only be taken into account if the permission properties are empty. If any permission is set, this flag will be ignored.