Shield

User

We share users between all services.

User Attributes

Each user has two types of attributes:

  • Public attributes (like user's phone,first_name, last_name,...) User can change public attributes, so we do not provide them for evaluation.
  • Private per service attributes, which set by each service. We provide these attributes to the policy engine as user's attributes.
    We can use these attrs in a policy Tree or Condition.

To set attr on specific user:

  • Make sure you have an either service's owner token or a PAT to use in the next requests.

  • Call to the following endpoint:
    Please make sure change the {user_id}, {my token} and {service_id} fields to the proper values.

In the following example we set state prop to fars and skill prop to management.

Tip

The following attributes are available just for the service which we set its id in the payload, not all services.

curl --location --request POST 'localhost:4000/api/v1/user/{user_id}/attrs' \
--header 'Authorization: Bearer {my token}' \
--header 'Content-Type: application/json' \
--data-raw '{
    "service_id":"{service_id}",
    "attributes":[
            {
                "key":"state",
                "value":"fars"
            },
            {
                "key":"skill",
                "value":"management"
            }
    ]
}'

You can also sync or remove attributes too.

Roles

Each user can have as many roles as needed.

We can think of roles as entities which we assign to one or more users and then define some policies based on the role instead of specific user.

Each service creates and manages their own roles.
Services by default can not assign roles from other services to the user, but can use other services roles in their policies.

Following cURL request is an example of creating a role: Please make sure change the {token} and {service_id} values before sending the request.

WARNING

Each role's code must be unique across all the services. This is because we want to be able to use roles from other services in our policies.

curl --location --request POST 'localhost:4000/api/v1/roles' \
--header 'Authorization: Bearer {token}' \
--header 'Content-Type: application/json' \
--data-raw '{
    "service_id":"{service_id}",
    "name":"reporter",
    "code":"reporter"
}'

In the created role, we set a code of reporter, it's just a unique code for the role.

Tip

The benefit of using other services' roles in our service policies is that when the service which is owner of role assign that role to someone, it's changing the user's permissions in every service that is using that role in their policies. For example if all services use the admin role code in their policies, when we assign the admin role to someone, we are making the user admin in all services.

We can also (and we should too, most of the time) create our own roles and assign them to users.

To assign a role to a user, send a request like this:


curl --location --request POST 'localhost:4000/api/v1/user/{user_id}/roles/admin' \
--header 'Authorization: Bearer {token}'

We can also query roles, update roles, delete roles, and Remove user's roles too.

Last Updated: