Overview of resource access strategies
Strategies and IDs
A resource access strategy is a set of logic that identifies which resources a caller can access.
A resource access ID is a string that identifies either who the caller is or what the caller owns.
Some resource access strategies expect a single resource access ID. Other resource access strategies allow for an array of resource access IDs.
For each call, resource access is determined by executing the resource access strategy using the resource access ID as input. For example, suppose a given resource access strategy states "the caller can access information related to accounts they own". And suppose, for a given call, the resource access ID is account number 464778619. This would mean the following:
- The caller can access resources that are related to account 464778619.
- The caller cannot access resources that are related to accounts other than 464778619.
The list of resource access strategies
The base configuration includes the following resource access strategies:
| Strategy name | Persona using this strategy | Resource access ID is... | Grants access to... | More information |
|---|---|---|---|---|
| bc_username | Internal users | A BillingCenter user name | Resources this internal user could see in BillingCenter. | |
| bc_contactAuthorizationIds | Account owners, primary payers, and invoice item payers | An array of contact authorization IDs | Resources where at least one of the specified contacts has an appropriate business relationship with the resource | The contactAuthorizationIds resource access strategy |
| bc.service | Trusted service-to-service application | Not applicable | All resources | The service resource access strategy |
| bc_producerCodes | Producers | An array of one or more producer codes, as strings | Resources where at least one of the specified producer codes has an appropriate business relationship with the resource | The producerCodes resource access strategy |
| default | Callers who have been authenticated but specify no resource access strategy with the call | Not applicable | Typically just metadata resources only (such as API definitions) | |
| unauthenticated | Callers who have not been authenticated | Not applicable | Typically just metadata resources only (such as API definitions) |
The JWT identifies which resource access strategy to use by listing the strategy name in
the scp token claim. If the given strategy requires resource access IDs,
then the JWT also contains a token claim whose name is the strategy name and whose contents
are the resource access IDs.
For example, suppose that a given call is using the
bc_username resource access strategy with a resource access ID of
aapplegate@acme.com. The JWT would include the following.
"scp": [
"bc_username"
],
"bc_username": [
"aapplegate@acme.com"
]Determining a call's resource access strategy
Resource access strategies are assigned by internal code as described in the following table. For calls made by services with user context, two resource access strategies are assigned, one at the service level and one at the user level. For all other types of calls, only one resource strategy is assigned.
| Strategy name | This is assigned to a call when... |
|---|---|
| bc_username |
Any of the following are true:
|
| bc_contactAuthorizationIDs |
Any of the following are true:
|
| bc_producerCodes |
Any of the following are true:
|
| bc.service | The JWT's scp token claim contains
bc.service. |
| default | The caller has been authenticated, but the JWT specifies no resource access strategy. |
| unauthenticated | The caller has not been authenticated. |