Policies and Permissions
You manage access in VECTR by creating policies and attaching them to identities (users or groups). A policy is an object that, when associated with an identity or resource, defines their permissions. SRA Auth evaluates these policies when a user makes a request. Permissions in the policies determine whether the request is allowed or denied.
Policy Types¶
- Identity-based policies. Attach managed policies to IAM identities (users or groups). Identity-based policies grant permissions to an identity.
- Resource-based policies. These are policies that grant permission to a resource.
Identity-based Policies¶
Identity-based policies are permissions policy documents that control what actions an identity (users or group) can perform, on which resources, and under what conditions.
Resource-based Policies¶
Note
Currently, resource-based policies affect all users. In a future release, resource-based policies will support the ability to configure principals (users) that have access to these resources.
Policy Category¶
All policies are either managed by SRA or the customer (end-user):
-
SRA managed policies. Policies that are created and managed by SRA. These policies cannot be modified or removed by the customer.
-
Customer managed policies. Policies that you create and manage in your account.
Policies and the Default Root User¶
The default root user is not affected by any policies. By default, the root user belongs to the BasicAccess and Admins group, however their permission is not affected by the policies belonging to these groups. You can even remove the root user from these groups, or delete these groups and the root user will still have full access to VECTR.
Default SRA Managed Policies¶
The following default policies are provided by SRA. Some policies are application-specific. SRA Managed policies cannot be deleted or modified.
Name | Description |
---|---|
AdminFullAccess | Provides full access to all resources and IAM permissions. |
AppSettingsReadOnly1 | Provides the ability for a user to read application configurations. |
IAMFullAccess | Provides full access to IAM related resources and permissions, including managing users, groups, and policies. |
TokenRefreshAccess | Provides the ability for users to stay logged into the application by automatically updating their JWT before it expires. Users who do not have this permission will be time-boxed to the application for 30 minutes. |
UserProfileAccess1 | Provides the ability for a user to edit their own information, such as name and password. |
Default VECTR Policies¶
The following are VECTR specific default policies:
Name | Description |
---|---|
AllDatabaseFullAccess | Provides the ability to perform read and write (including update and delete) operations on all session databases. |
AllDatabaseReadOnly | Provides access to perform read operations on all session databases. |
AnyPathResourceFullAccess | Provides full access (read/write/update/delete) to any non-session database related endpoints. |
AnyPathResourceReadOnly1 | Provides read-only access to any non-session database related endpoint. |
DatabaseManagement2 | Provides the ability for a user to manage (list, edit, backup, restore) the databases which they have access to. |
DatabaseManagementFullAccess2 | Provides the ability to manage (list, create, edit, delete, backup, restore) all databases. |
GoldStandardFullAccess | Provides read and write access to the GoldStandard database. |
GoldStandardReadOnly1 | Provides read-only access to the GoldStandard database. |
ListDatabases12 | Allows a user to list the databases they have access it. |
ProductTourAccess3 | Provides the ability to interact with VECTR product tours |
ProductTourIntroDatabaseFullAccess3 | Provides read/write access to the "Intro to VECTR Walkthrough" tour database. |
RenameDatabase2 | Allows a user to rename a database that they have access to. |
-
These policies are required at a minimum for a user to gain basic access to VECTR. ↩↩↩↩↩
-
These policies on their own do not provide read or write access to any databases. Instead, they simply give the provided permissions on databases which a user already has access to. These policies must be combined with a DB access policy such as AllDatabaseFullAccess, AllDatabaseReadOnly, or a custom DB policy that you created. ↩↩↩↩
-
These policies are required to view and interact with VECTR product tours. ↩↩