Overview

Suggest Edits

Intro

Fairo Policies allow full AWS-like access control for any user or API key within the Fairo environment. Whether you are creating permissions for internal user groups, limiting access to Fairo for your external auditor, or creating machine-to-machine API access keys, Fairo's policy system can help you.

The Policy JSON

The policy JSON is based on what has become the standard layout for IAM policies in AWS and equivalent cloud platforms. This layout is designed to help users create flexible, declarative access policies for broad use cases. 

{
  "action": [
    "*"
  ],
  "principal": [
    "*"
  ],
  "effect": "allow",
  "resources": [
    "*"
  ]
}

Action

The left hand side of the action is the class, the right hand side is the action 'action' or class method being invoked. For example, in workflows:create the class is 'workflows' and the action/method is 'create'. The standard methods are, list, retrieve, create, delete, update. However, certain APIs will have custom methods.

When a method is custom, you will know what it's called based on the endpoint URL. For example, the API endpoint https://api.fairo.ai/api/v1/process_nodes/{id}/add_asset is the add_asset method, on the process_nodes class.

Using this pattern, https://api.fairo.ai/api/v1/{class}/{id}/{custom_method}, plus assuming the default methods exist for every class, you can build permissions based on the API reference.

Principal

The principle is currently not implemented in our specification. We plan on implementing it soon as there are some important use cases we'd like to support (i.e. handling externally defined roles and groups from an Azure AD or other external profile data).

Effect

If the 'effect' equals allow, the actions are allowed. Otherwise, they are denied.

Resources

Here you can specific specific resources that you would like to give access too. Right now, we are basing everything off of ID so wildcards aren't that useful. In future implementations we will allow resources to use wildcards on specific attributes (i.e. type, owner, tag, etc...).

Summary

The Fairo Policies system, although in early stages, is a very powerful and extensible tool. We have chosen to define policies in a tried and true declarative JSON format so that our users can get started right away. As we release more features, users will gain incredible flexibility and precision in how they define access to the Fairo system.

Updated 4 months ago