Overview of resource access strategies
Strategies and IDs
A resource access strategy is a set of logic that identifies which resources a caller can access.
A resource access ID is a string that identifies either who the caller is or what the caller owns.
Some resource access strategies expect a single resource access ID. Other resource access strategies allow for an array of resource access IDs.
For each call, resource access is determined by executing the resource access strategy using the resource access ID as input. For example, suppose a given resource access strategy states "the caller can access information related to accounts they own". And suppose, for a given call, the resource access ID is account number 464778619. This would mean the following:
- The caller can access resources that are related to account 464778619.
- The caller cannot access resources that are related to accounts other than 464778619.
Some resource access strategies require a single resource access ID. Other resource access strategies allow for an array of resource access IDs.
The list of resource access strategies
The base configuration includes the following resource access strategies:
Strategy name | Persona using this strategy | Resource access ID is... | Grants access to... | More information |
---|---|---|---|---|
pc_accountNumbers | Account holders (including anonymous users who have created an account) | An account number | Resources associated with the account, including its jobs and policies | |
pc_username | Internal users | A PolicyCenter user name | Resources this internal user could see in PolicyCenter based on their associated Access Control Lists (ACLs). | |
pc.service | Trusted service-to-service application | Not applicable | All resources | The service resource access strategy |
default | Callers who have been authenticated but specify no resource access strategy with the call | Not applicable | Typically just metadata resources only (such as API definitions) | |
unauthenticated | Callers who have not been authenticated | Not applicable | API definition metadata and the endpoints to create accounts. (The account endpoints are used by anonymous users who may want to quote and potentially bind a policy.) |
The JWT identifies which resource access strategy to use by listing the strategy name in
the scp
token claim. If the given strategy requires resource access IDs,
then the JWT also contains a token claim whose name is the strategy name and whose contents
are the resource access IDs.
For example, suppose that a given call is using the
pc_accountNumbers
resource access strategy with a resource access ID of
464778619. The JWT would include the following.
"scp": [
"pc_accountNumbers"
],
"pc_accountNumbers": [
"464778619"
]
Determining a call's resource access strategy
Resource access strategies are assigned by internal code as described in the following table. For calls made by services with user context, two resource access strategies are assigned, one at the service level and one at the user level. For all other types of calls, only one resource strategy is assigned.
Strategy name | This is assigned to a call when... |
---|---|
pc_accountNumbers |
Any of the following are true:
|
pc_username |
Any of the following are true:
|
pc.service | The JWT's scp token claim contains
pc.service . |
default | The caller has been authenticated, but the JWT specifies no resource access strategy. |
unauthenticated | The caller has not been authenticated. |