Skip to content

Policies and Permissions

You manage access in VECTR by creating policies and attaching them to identities (users or groups). A policy is an object that, when associated with an identity or resource, defines their permissions. SRA Auth evaluates these policies when a user makes a request. Permissions in the policies determine whether the request is allowed or denied.

Policy Types

  • Identity-based policies. Attach managed policies to IAM identities (users or groups). Identity-based policies grant permissions to an identity.
  • Resource-based policies. These are policies that grant permission to a resource.

Identity-based Policies

Identity-based policies are permissions policy documents that control what actions an identity (users or group) can perform, on which resources, and under what conditions.

Resource-based Policies

Note

Currently, resource-based policies affect all users. In a future release, resource-based policies will support the ability to configure principals (users) that have access to these resources.

Policy Category

All policies are either managed by SRA or the customer (end-user):

  • SRA managed policies. Policies that are created and managed by SRA. These policies cannot be modified or removed by the customer.

  • Customer managed policies. Policies that you create and manage in your account.

Policies and the Default Root User

The default root user is not affected by any policies. By default, the root user belongs to the BasicAccess and Admins group, however their permission is not affected by the policies belonging to these groups. You can even remove the root user from these groups, or delete these groups and the root user will still have full access to VECTR.

Default SRA Managed Policies

The following default policies are provided by SRA. Some policies are application-specific. SRA Managed policies cannot be deleted or modified.

Name Description
AdminFullAccess Provides full access to all resources and IAM permissions.
AppSettingsReadOnly1 Provides the ability for a user to read application configurations.
IAMFullAccess Provides full access to IAM related resources and permissions, including managing users, groups, and policies.
TokenRefreshAccess Provides the ability for users to stay logged into the application by automatically updating their JWT before it expires. Users who do not have this permission will be time-boxed to the application for 30 minutes.
UserProfileAccess1 Provides the ability for a user to edit their own information, such as name and password.

Default VECTR Policies

The following are VECTR specific default policies:

Name Description
AllDatabaseFullAccess Provides the ability to perform read and write (including update and delete) operations on all session databases.
AllDatabaseReadOnly Provides access to perform read operations on all session databases.
AnyPathResourceFullAccess Provides full access (read/write/update/delete) to any non-session database related endpoints.
AnyPathResourceReadOnly1 Provides read-only access to any non-session database related endpoint.
DatabaseManagement2 Provides the ability for a user to manage (list, edit, backup, restore) the databases which they have access to.
DatabaseManagementFullAccess2 Provides the ability to manage (list, create, edit, delete, backup, restore) all databases.
GoldStandardFullAccess Provides read and write access to the GoldStandard database.
GoldStandardReadOnly1 Provides read-only access to the GoldStandard database.
ListDatabases12 Allows a user to list the databases they have access it.
ProductTourAccess3 Provides the ability to interact with VECTR product tours
ProductTourIntroDatabaseFullAccess3 Provides read/write access to the "Intro to VECTR Walkthrough" tour database.
RenameDatabase2 Allows a user to rename a database that they have access to.

  1. These policies are required at a minimum for a user to gain basic access to VECTR. 

  2. These policies on their own do not provide read or write access to any databases. Instead, they simply give the provided permissions on databases which a user already has access to. These policies must be combined with a DB access policy such as AllDatabaseFullAccess, AllDatabaseReadOnly, or a custom DB policy that you created. 

  3. These policies are required to view and interact with VECTR product tours.