Policies and Permissions
You manage access in VECTR by creating policies and attaching them to identities (users or groups). A policy is an object that, when associated with an identity or resource, defines their permissions. SRA Auth evaluates these policies when a user makes a request. Permissions in the policies determine whether the request is allowed or denied.
Policy Types¶
- Identity-based policies. Attach managed policies to IAM identities (users or groups). Identity-based policies grant permissions to an identity.
- Resource-based policies. These are policies that grant permission to a resource.
Identity-based Policies¶
Identity-based policies are permissions policy documents that control what actions an identity (users or group) can perform, on which resources, and under what conditions.
Resource-based Policies¶
Note
Currently, resource-based policies affect all users. In a future release, resource-based policies will support the ability to configure principals (users) that have access to these resources.
Policy Category¶
All policies are either managed by SRA or the customer (end-user):
-
SRA managed policies. Policies that are created and managed by SRA. These policies cannot be modified or removed by the customer.
-
Customer managed policies. Policies that you create and manage in your account.
Policies and the Default Root User¶
The default root user is not affected by any policies. By default, the root user belongs to the BasicAccess and Admins group, however their permission is not affected by the policies belonging to these groups. You can even remove the root user from these groups, or delete these groups and the root user will still have full access to VECTR.
Default SRA Managed Policies¶
The following default policies are provided by SRA. Some policies are application-specific. SRA Managed policies cannot be deleted or modified.
| Name | Description |
|---|---|
| AdminFullAccess | Provides full access to all resources and IAM permissions. |
| AppSettingsReadOnly1 | Provides the ability for a user to read application configurations. |
| IAMFullAccess | Provides full access to IAM related resources and permissions, including managing users, groups, and policies. |
| TokenRefreshAccess | Provides the ability for users to stay logged into the application by automatically updating their JWT before it expires. Users who do not have this permission will be time-boxed to the application for 30 minutes. |
| UserProfileAccess1 | Provides the ability for a user to edit their own information, such as name and password. |
Default VECTR Policies¶
The following are VECTR specific default policies:
| Name | Description |
|---|---|
| AllDatabaseFullAccess | Provides the ability to perform read and write (including update and delete) operations on all test environments. |
| AllDatabaseReadOnly | Provides access to perform read operations on all test environments. |
| AnyPathResourceFullAccess | Provides full access (read/write/update/delete) to any non-test environment related endpoints. |
| AnyPathResourceReadOnly1 | Provides read-only access to any non-test environment related endpoint. |
| DatabaseManagement2 | Provides the ability for a user to manage (list, edit, backup, restore) the environments which they have access to. |
| DatabaseManagementFullAccess2 | Provides the ability to manage (list, create, edit, delete, backup, restore) all environments. |
| GoldStandardFullAccess | Provides read and write access to the Library. |
| GoldStandardReadOnly1 | Provides read-only access to the Library. |
| ListDatabases12 | Allows a user to list the environments they can access. |
| RenameDatabase2 | Allows a user to rename an environment that they have access to. |
| TagManagement | Provides the ability for a user to manage (view, edit) tags. This policy is required in order for a user to work with tags, including tagging Assesssment data. |
-
These policies are required at a minimum for a user to gain basic access to VECTR. ↩↩↩↩↩
-
These policies on their own do not provide read or write access to any environments. Instead, they simply give the provided permissions on environments which a user already has access to. These policies must be combined with a DB access policy such as AllDatabaseFullAccess, AllDatabaseReadOnly, or a custom DB policy that you created. ↩↩↩↩