Setting up access control
LeZa's granular access control gives you the power to manage fine grained permissions and access settings.
Access control is controlling who and how users can access your application. In order to achieve this you first need to be familiar with some topics.
A permission is the most granular access point of our application, it represents an action that a user can perform or the accessibility of a service, feature or resource. The creator of the application defines what the permission means and LeZa enables them to set it up.
In order to create permissions you first need to go to the app you want to give access to, in order to do so click on the app section in the main menu then on the app you want to configure. If you then go to the permission tab you will be able to add your new permissions.
- Click on the plus button (+) on the top right
- Give your permission a name like: 'See the email address of a user'
- Give it a description
- Confirm to add your permission
Once you have added a permission you can manipulate it from your API or your front-end as you wish but you can also bind it to an endpoint, this will give access to that endpoint only if the user has the permission to do so. In order to bind the permission to an endpoint you must click on the attach to endpoint button on the left of your new permission.
Policies are a group of permissions configured for a certain scope. Policies will be used everywhere in your configuration because their are more convenient and significant than permissions alone. To have a better understanding of a policy let's use an example..
Imagine you are building a to do list application, which allows to create new tasks assign them to people and plan them in a calendar.
You could create the following policies:
- Organize people's tasks: this would give the permission to add a new task and assign the task to a user and to See the list of tasks for all users
- Organize the calendar: this would give the permission to assign a completion date and to See the list of tasks for all users
- Complete tasks: this would give the permission to See you own tasks and Mark tasks as completed
In order to setup a new policy for your application you need to perform the following steps:
- Go to the Policies section in your main menu
- Click on the little plus (+) button on the top right to display the policy creation window
- Enter your policy name ex: Organize tasks for people
- Give a version ex: v1.0.0
- Give it a status, local or global (global policies are accessible to external organizations)
- Click on ok and your policy is now created
You must then attach your policy to permissions, in order to do sow follow these steps:
- Click on the attach permission button on the right of your created policy
- Select in the left corner the permissions that you want to attach
- Click on the right arrow to add them to the policy's permissions
- Save your changes and the policy is now configured
A role is the position of a user inside of your organization. A user can only have one role per organization, but you can configure as many roles as you want. The role will be associated to policies in order to determine its access to your application.
The main difference between a role and a policy is that a role is seen from a user access rights point of view and policies are seen from a feature-set access rights point of view.
In order to setup a first role in your organization you must perform the following steps:
- Click on the role section in your main menu
- Click on the plus button on the top right of your screen
- Give your role a name and description
- Select the parent role (check the notice bellow to understand how this works)
Roles are organized hierarchically so that the children of a role only are allow to get access to a subset of its parent's permissions
- Click on the create button to create you role
You can now bind policies to your role by
- Clicking on the three dots on the right of you created role then "Bind policies"
- Selecting the policies that need to be added on the left part of your screen
- Click on the right arrow to add them as your role's policies
- Click on the save button to confirm your changes
Now that you have configured all the security aspects of your application from an access point of view you can attach your role to a user of your organization by going to the users section and changing the role of your user.