There are two different methods for describing a role, and both of these methods can be used at the same time:
The resulting permissions matrix for a role is determined by combining the sets of permissions in the corresponding cells of the matrices of extensible roles and the explicitly defined matrix.
Extending roles
Roles are extended by using the extends element, which contains a list of extensible roles (this list may be empty). All extensible roles must be predefined:
roles: {
...
roleX : {
extends : [roleY, roleZ] // The roleX role extends the roleY and roleZ roles
}
...
}
Explicit assignment of the permissions matrix
The matrix is explicitly assigned by using the rights element, which consists of an array of three elements: the subject (from element), the object that should be accessed (to element), and the set of permissions (permissions element).
The subject and object are defined in one of the following ways:
from: tlsfrom: [app0, app1]from: @anyPermissions are defined in one of the following ways:
permissions: stream/readpermissions: stream/@anypermissions: [conn/@any, stream/set_status]Example:
roles : {
system : {
rights :[
{ from : @any /* any type */
, to : connection_manager /* specific type */
, permissions : conn/@any /* any permission from the conn category */
},
{ from : tls
, to : connection_manager
, permissions : [ stream/read, stream/set_status ] /* any of the listed permissions */
},
{ from : @any
, to : tls
, permissions : stream/@any
}
]
},
camera : {
rights : [
{ from : @any
, to : camera
, permissions : camera/@any
}
]
},
gps : {
rights : [
{ from : @any
, to : gps
, permissions : gps/@any
}
]
},
user : {
extends : system /* extends the system role */
},
admin : {
extends : [user, camera] /* extends the user & camera roles */
}
}
Page top