Overview of resource access strategies

Strategies and IDs

A resource access strategy is a set of logic that identifies which resources a caller can access.

A resource access ID is a string that identifies either who the caller is or what the caller owns.

For each call, resource access is determined by executing the resource access strategy using the resource access ID as input. For example, suppose a given resource access strategy states "the caller can access information related to accounts they own". And suppose, for a given call, the resource access ID is account number 464778619. This would mean the following:

The caller can access resources that are related to account 464778619.
The caller cannot access resources that are related to accounts other than 464778619.

Some resource access strategies require a single resource access ID. Other resource access strategies allow for an array of resource access IDs.

The list of resource access strategies

The base configuration includes the following resource access strategies:


Strategy name	Persona using this strategy	Resource access ID is...	Grants access to...	More information
bc_username	Internal users	A BillingCenter user name	Resources this internal user could see in BillingCenter.
bc.service	Trusted service-to-service application	Not applicable	All resources	The service resource access strategy
default	Callers who have been authenticated but specify no resource access strategy with the call	Not applicable	Typically just metadata resources only (such as API definitions)
unauthenticated	Callers who have not been authenticated	Not applicable	Typically just metadata resources only (such as API definitions)


Strategy name	Persona using this strategy	Resource access ID is...	Grants access to...	More information
bc_username	Internal users	A BillingCenter user name	Resources this internal user could see in BillingCenter.
bc.service	Trusted service-to-service application	Not applicable	All resources	The service resource access strategy
default	Callers who have been authenticated but specify no resource access strategy with the call	Not applicable	Typically just metadata resources only (such as API definitions)
unauthenticated	Callers who have not been authenticated	Not applicable	Typically just metadata resources only (such as API definitions)

The JWT identifies which resource access strategy to use by listing the strategy name in the scp token claim. If the given strategy requires resource access IDs, then the JWT also contains a token claim whose name is the strategy name and whose contents are the resource access IDs.

For example, suppose that a given call is using the bc_username resource access strategy with a resource access ID of aapplegate@acme.com. The JWT would include the following.

"scp": [
  "bc_username"
],
"bc_username": [
  "aapplegate@acme.com"
]

Determining a call's resource access strategy

Resource access strategies are assigned by internal code as described in the following table. For calls made by services with user context, two resource access strategies are assigned, one at the service level and one at the user level. For all other types of calls, only one resource strategy is assigned.


Strategy name	This is assigned to a call when...
bc_username	Any of the following are true: The call is using basic authentication, or The JWT's `scp` token claim contains `bc_username`, or The call includes a user context header, and the header includes a `bc_username` token claim, or The JWT specifies a client ID that was mapped to a service account.
bc.service	The JWT's `scp` token claim contains `bc.service`.
default	The caller has been authenticated, but the JWT specifies no resource access strategy.


Strategy name	This is assigned to a call when...
bc_username	Any of the following are true: The call is using basic authentication, or The JWT's `scp` token claim contains `bc_username`, or The call includes a user context header, and the header includes a `bc_username` token claim, or The JWT specifies a client ID that was mapped to a service account.
bc.service	The JWT's `scp` token claim contains `bc.service`.
default	The caller has been authenticated, but the JWT specifies no resource access strategy.