Types of access

Authorization is the process of determining what operations and data the caller is allowed to access. The system APIs enforce authorization using the following types of access:

• Endpoint access defines the aspects of an endpoint's behaviors that are available to a caller. This includes:
  • What endpoints are available to the caller?
  • What operations can a caller call on the available endpoint?
  • What fields can the caller specify in a request payload or get in a response payload?
• Resource access defines, for a given type of resource, which instances of that resource type the caller can access. For example, for a given caller, endpoint access might grant access to a GET /policies endpoint. But this does not necessarily mean the caller can access every policy in the system. Resource access can limit which specific policies that caller can view.
• A proxy user is an internal user that is assigned to an external user or service when an external user or service triggers an API call. Whenever PolicyCenter logic must verify that the caller has a given domain-level system permission (such as permission to own an activity) or authority limit, the proxy user is checked. This is referred to as proxy user access.

Each type of access does not necessarily apply to every type of caller.