Page History

...

The IAM plugin will provide another implementation 'PolicyBasedAccessChecker' of the SecurityChecker interface. We will also have to add to this interface some more methods or change some signatures to facilitate group, policy and api name (action) based access control.

...

IAM Interface to check API Access

IAM Plugin 'PolicyBasedAccessChecker' will also provide a group and policy based implementation of the APIChecker interface. The implementation will check if a given user is permitted to make the given API call by looking at the users' groups and the associated policies of those groups.

...

When user creates a customized policy, he can specify a source policy from list of default policies. Then we will create new mapping between these default policy permission entries and the new policy in acl_policy_permission_map table.

Sample DB entries for the default policies:

Root admin policy

This policy should allow all API operations on all types of resources for all domains and accounts. We can represent this policy in following fashion in the db schema:

Account
-------------------------------------------------------------+

-------------------------------------------------------------+

-------------------------------------------------------------+