Policies and Permissions
You manage access in VECTR by creating policies and attaching them to identities (users or groups). A policy is an object that, when associated with an identity or resource, defines their permissions. SRA Auth evaluates these policies when a user makes a request. Permissions in the policies determine whether the request is allowed or denied.
- Identity-based policies. Attach managed policies to IAM identities (users or groups). Identity-based policies grant permissions to an identity.
- Resource-based policies. These are policies that grant permission to a resource.
Identity-based policies are permissions policy documents that control what actions an identity (users or group) can perform, on which resources, and under what conditions.
Currently, resource-based policies affect all users. In a future release, resource-based policies will support the ability to configure principals (users) that have access to these resources.
All policies are either managed by SRA or the customer (end-user):
SRA managed policies. Policies that are created and managed by SRA. These policies cannot be modified or removed by the customer.
Customer managed policies. Policies that you create and manage in your account.
Policies and the Default Root User¶
The default root user is not affected by any policies. By default, the root user belongs to the BasicAccess and Admins group, however their permission is not affected by the policies belonging to these groups. You can even remove the root user from these groups, or delete these groups and the root user will still have full access to VECTR.
Default SRA Managed Policies¶
The following default policies are provided by SRA. Some policies are application-specific. SRA Managed policies cannot be deleted or modified.
AdminFullAccess. Provides full access to all resources and IAM permissions.
AppSettingsReadOnly1. Provides the ability for a user to read application configurations.
IAMFullAccess. Provides full access to IAM related resources and permissions, including managing users, groups, and policies.
TokenRefreshAccess. Provides the ability for users to stay logged into the application by automatically updating their JWT before it expires. Users who do not have this permission will be time-boxed to the application for 30 minutes.
UserProfileAccess1. Provides the ability for a user to edit their own information, such as name and password.
Default VECTR Policies¶
The following are VECTR specific default policies:
AllDatabaseFullAccess. Provides the ability to perform read and write (including update and delete) operations on all session databases.
AllDatabaseReadOnly. Provides access to perform read operations on all session databases.
AnyPathResourceFullAccess. Provides full access (read/write/update/delete) to any non-session database related endpoints.
AnyPathResourceReadOnly1. Provides read-only access to any non-session database related endpoint.
GoldStandardReadOnly1. Provides read-only access to the GoldStandard database.
1 These policies are required at a minimum for a user to gain basic access to VECTR.