Configuring resource access for generated endpoints

Resource access defines, for a given type of resource, which instances of that resource type the caller can access. For example, for a given caller, endpoint access might grant access to a GET /policies endpoint. But this does not necessarily mean the caller can access every policy in the system. Resource access can limit which specific policies that caller can view.

For more information on the general behavior of resource access, see the Cloud API Authentication Guide.

When running the Rest Endpoint Generator, there are no prompts that pertain to resource access. The Rest Endpoint Generator generates resource access code in the same way for every set of generated endpoints. At the very least, the code requires review. In some cases, the code may also require additional configuration. The places where coding requires review and additional completion is flagged with the following comment:

TODO RestEndpointGenerator

You can search for these "TODO RestEndpointGenerator" comments in Studio to complete the configuration.

Code generated in access.yaml files

Every resource access strategy is defined in multiple files. In the base configuration, all of the files for a given resource access strategy start with the same name.

Broadly speaking, there are two types of access files: core and extension.

A core access file is an access file that defines one or more base configuration resource access strategies. Core access files either have core in the name, or are located in a package with core in the path.

Warning: Do not modify any core access files. Modifying these files can result in certain sets of callers being unable to execute API calls.

An extension access file is an access file that provides a location for extensions to base configuration resource access strategy behavior. Extension access files either have ext in the name, or are located in a package with ext in the path.

Code generated by the REST Endpoint Generator is placed in extension access files. The specific code added to each file depends on the associated type of caller.

Generated resource access code for internal users

The extension access file for internal users is named internal_ext-1.0.access.yaml.

The REST Endpoint Generator assumes that an internal user can access a given instance of the custom resource if the internal user can also access the resource's parent. Therefore, the filters for all operations are set to __inherit.

Stream-based collections

If you generate endpoints for a CustomEntity_Ext entity, and the entity is backed by a stream, the following is added to the internal user resource access extension file:

resources:
  CustomEntitiesExt:
    # TODO RestEndpointGenerator : Update the default generated access here
    permissions:
      view: __inherit
      create: __inherit
  CustomEntityExt:
    # TODO RestEndpointGenerator : Update the default generated access here
    permissions:
      view: __inherit
      edit: __inherit
      delete: __inherit

Query-based collections

If you generate endpoints for a CustomEntity_Ext entity, and the entity is backed by a query, the following is added to the internal user resource access extension file:

resources:
  CustomEntitiesExt:
    # TODO RestEndpointGenerator : Update the default generated access here
    permissions:
      view: __inherit
      create: __inherit
    filter: __noFilter
  CustomEntityExt:
    # TODO RestEndpointGenerator : Update the default generated access here
    permissions:
      view: __inherit
      edit: __inherit
      delete: __inherit
Note that, for query-backed collections, there is an additional "filter: __noFilter" line of code in the collections section. This line is needed to determine appropriate view permissions for query-backed collections.
  • This line of code does not exist for stream-backed collections because stream-backed collections load the entire collection contents into memory at one time. Cloud API can simply iterate over the entire collection using the specified view permission to determine which items in the stream can be viewed.
  • This line of code does exist for query-backed collections because query-backed collections do not load the entire collection into memory at one time. Instead, the collection is loaded one page at a time. Additional logic is required to identify the items in the collection that can be viewed. This is specified by the additional filter.

In most business circumstances, the filter can be set to __noFilter, which specifies no additional filter logic is needed. This is acceptable because, in most cases, a child object can be viewed if the parent object can be viewed.

Generated resource access code for external users

ClaimCenter has two extension access files for external users: policyNumbers_ext-1.0.access.yaml and gwabuid_ext-1.0.access.yaml.

The REST Endpoint Generator does not make any assumptions about when an external user caller can access a given instance of the custom resource. Therefore, the filters for all operations are declared, but they are not set to any values.

Stream-based collections

If you generate endpoints for a CustomEntity_Ext entity, and the entity is backed by a stream, the following is added to the external user resource access extension file:

resources:
  CustomEntitiesExt:
    # TODO RestEndpointGenerator : Update the default generated access here
    permissions:
      view: "TODO RestEndpointGenerator"
      create: "TODO RestEndpointGenerator"
  CustomEntityExt:
    # TODO RestEndpointGenerator : Update the default generated access here
    permissions:
      view: "TODO RestEndpointGenerator"
      edit: "TODO RestEndpointGenerator"
      delete: "TODO RestEndpointGenerator"

Query-based collections

If you generate endpoints for a CustomEntity_Ext entity, and the entity is backed by a query, the following is added to the internal user resource access extension file:

resources:
  CustomEntitiesExt:
    # TODO RestEndpointGenerator : Update the default generated access here
    permissions:
      view: "TODO RestEndpointGenerator"
      create: "TODO RestEndpointGenerator"
    filter: "TODO RestEndpointGenerator"
  CustomEntityExt:
    # TODO RestEndpointGenerator : Update the default generated access here
    permissions:
      view: "TODO RestEndpointGenerator"
      edit: "TODO RestEndpointGenerator"
      delete: "TODO RestEndpointGenerator"

Note that, for query-backed collections, there is an additional "filter: TODO..." line of code in the collections section. This line is needed to determine appropriate view permissions for query-backed collections.

  • This line of code does not exist for stream-backed collections because stream-backed collections load the entire collection contents into memory at one time. Cloud API can simply iterate over the entire collection using the specified view permission to determine which items in the stream can be viewed.
  • This line of code does exist for query-backed collections because query-backed collections do not load the entire collection into memory at one time. Instead, the collection is loaded one page at a time. Additional logic is required to identify the items in the collection that can be viewed. This is specified by the additional filter.

For more information on how to configure resource access files, see Cloud API Authentication Guide.

Generated resource access code for services

The extension access file for internal users is named serviceUser_ext-1.0.access.yaml.

The REST Endpoint Generator assumes that services are not restricted by resource access. Therefore, the filters for all operations are set to true.

Stream-based collections

If you generate endpoints for a CustomEntity_Ext entity, and the entity is backed by a stream, the following is added to the service resource access extension file:

resources:
  CustomEntitiesExt:
    # TODO RestEndpointGenerator : Update the default generated access here
    permissions:
      view: true
      create: true
  CustomEntityExt:
    # TODO RestEndpointGenerator : Update the default generated access here
    permissions:
      view: true
      edit: true
      delete: true

Query-based collections

If you generate endpoints for a CustomEntity_Ext entity, and the entity is backed by a query, the following is added to the internal user resource access extension file:

resources:
  CustomEntitiesExt:
    # TODO RestEndpointGenerator : Update the default generated access here
    permissions:
      view: true
      create: true
    filter: __noFilter
  CustomEntityExt:
    # TODO RestEndpointGenerator : Update the default generated access here
    permissions:
      view: true
      edit: true
      delete: true

Note that, for query-backed collections, there is an additional "filter: __noFilter" line of code in the collections section. This line is needed to determine appropriate view permissions for query-backed collections.

  • This line of code does not exist for stream-backed collections because stream-backed collections load the entire collection contents into memory at one time. Cloud API can simply iterate over the entire collection using the specified view permission to determine which items in the stream can be viewed.
  • This line of code does exist for query-backed collections because query-backed collections do not load the entire collection into memory at one time. Instead, the collection is loaded one page at a time. Additional logic is required to identify the items in the collection that can be viewed. This is specified by the additional filter.

If services are not restricted by resource access, then no additional filter logic is needed. The filter: __noFilter line of code specifies this.

Generated resource access code for special use cases

There are two resource access strategies used for special cases.
  • Unauthenticated user resource access is used for unauthenticated users. This access is defined in unauthenticatedUser_ext-1.0.access.yaml.
  • Default resource access is used for callers who have been authenticated but specify no resource access strategy with the call. This access is defined in default_ext-1.0.access.yaml.

The REST Endpoint Generator does not make any assumptions about when a caller using these resource access strategies can access a given instance of the custom resource. Therefore, the filters for all operations are declared, but they are not set to any values.

Stream-based collections

If you generate endpoints for a CustomEntity_Ext entity, and the entity is backed by a stream, the following is added to the unauthorized access extension file:
resources:
  CustomEntitiesExt:
    # TODO RestEndpointGenerator : Update the default generated access here
    permissions:
      view: "TODO RestEndpointGenerator"
      create: "TODO RestEndpointGenerator"
  CustomEntityExt:
    # TODO RestEndpointGenerator : Update the default generated access here
    permissions:
      view: "TODO RestEndpointGenerator"
      edit: "TODO RestEndpointGenerator"
      delete: "TODO RestEndpointGenerator"

Query-based collections

If you generate endpoints for a CustomEntity_Ext entity, and the entity is backed by a query, the following is added to the unauthorized access extension file:

resources:
  CustomEntitiesExt:
    # TODO RestEndpointGenerator : Update the default generated access here
    permissions:
      view: "TODO RestEndpointGenerator"
      create: "TODO RestEndpointGenerator"
    filter: __noFilter
  CustomEntityExt:
    # TODO RestEndpointGenerator : Update the default generated access here
    permissions:
      view: "TODO RestEndpointGenerator"
      edit: "TODO RestEndpointGenerator"
      delete: "TODO RestEndpointGenerator"

Note that, as is the case for the other caller types, query-backed collections have an additional "filter:" line of code in the collections section.

Configuring generated resource access code

Depending on the business needed, the following resource access configuration may be required:

  • Guidewire recommends removing the TODO RestEndpointGenerator comments.
  • The default resource access for internal users is "you can access the custom entity if you can access its parent." If this is not appropriate or sufficient, you must configure the internal resource strategy extension file.
  • The default resource access for services is "you can access all custom entities." If this is not appropriate or sufficient, you must configure the service resource strategy extension file.
  • There is no default resource access for external users, unauthenticated users, or callers with default access. If your endpoints support any of these types of callers, you must configure the corresponding resource strategy extension file.

For more information on how to configure resource access files, see Cloud API Authentication Guide