Versions Compared

Old Version 110

changes.mady.by.user Prachi Damle

Saved on

compared with

New Version 111

changes.mady.by.user Prachi Damle

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The implementation will check if a given user is permitted to invoke the given 'action' on the given resource by looking at the account's groups and the associated policies of those groups.

In phase I, all the permissions attached to any policy are by default explicit 'Allow' permissions. As of now 'Deny' permissions cannot be added.

For given user, resource and given api name, default permission is 'deny', then run through this:

  • Find all groups the user belongs too.
  • Find all 'effective' policies the groups are associated to. Effective includes all policy associations in the DB and the dynamic 'Resource Owner' policy if the resource is owned by the user
  • If any policy has a permission attached that 'Allows' the API, grant permission to make this call
  • Else, if no Allow entry is found for any policy for this API, deny the permission

...