Working with Policies

AuthScope uses policies to simulate business security rules that you would like to enforce. Policy consists of the following 4 elements:

  • Scope: Scope represents what a user can do w.r.t an API.
  • Action: Action corresponds to HTTP verbs
  • Resource: Resource represents the path part of a HTTP web URI as represented by RFC 2396.
  • Constraint: Constraints enable fine-grained aspect of policy evaluation. Constraints are flow charts like rules that are evaluated at run-time within the context of a request.

Creating Policies

To created policies, you need to first create an Application and then create a version:

Policies can be created in following two formats:

  1. By importing a swagger file.
  2. By defining the APIs and scopes manually.

Creating Policies via Swagger import

To create policies by importing a Swagger file, select "Upload Swagger" option on "Create new Application Version" screen and then provide a swagger YAML file.

Create new App Version

Swagger files can OPTIONALLY can be tagged with scope and constraint tags as follows. These tags should be applied at HTTP verb level:

  • x-as-constraintId: This tag can be used to specify the constraint name that is applicable for an API resource and action. Post swagger import, AuthScope will create a constraint with default GRANT access by this name. If this tag is not specified then "DEFAULT_CONSTRAINT" will be used.
  • x-as-scopeId: This tag can be used to tag a scope name to API resource and action. AuthScope will combine all scope tags in swagger file and generate policies. If this tag is not specified then "DEFAULT_SCOPE" will be used.

Swagger Tagging

AuthScope will create policies as follows for the above swagger:

Generated Policies

Creating Policies manually

To create policies manually, select "Web Console" option during Application version creation process:

Create Policies manually

To create a policy, click on the "+" sign on Policies screen:

Add Policy

Fill out the following fields on the form and click on "Create Policy" button:

  • Policy Name: Provide a name for this policy.
  • Policy Description: Provide a description for this policy.
  • Resource: Provide the HTTP resource. Refer Resource naming guidelines below.
  • Action: Provide the HTTP Action.
  • Scope: Provide a scope name.
  • Constraint: Select a constraint from the drop down.

Create Policy

Resource naming guidelines:

  • Provide resource names as HTTP API paths. Ex: /applications
  • A resource name can contain TEMPLATE parameters. Ex: /applications/{app_id}/versions/{version_name}
  • Policies are looked up on the basis of longest path matched.
    • Ex: At run-time, if the queried resource was /a/b/c/, then Authority will look for a policy mapped to the first available resource in following order:
      • /a/b/c/
      • /a/b/c
      • /a/b/
      • /a/b
      • /a/
      • /a
      • /

results matching ""

    No results matching ""