Functionality of specific resource access strategies
This section describes resource access strategies that have unique functionality not found in other resource access strategies.
The service resource access strategy
Most of the resource access strategies specify restrictions, which limit the resource and fields that a caller can view.
However, the pc.service resource access strategy specifies almost no restrictions. This is because this resource access strategy is designed to be used by services. Services are expected to be configured such that they access only the resources appropriate for the circumstance. Consequently, JWTs for API calls from services do not typically include resource access IDs.
Note that resource access for the different service-related auth flows behave as described here:
- For standalone services, calls use the
pc.serviceresource access strategy. Therefore, they have unrestricted resource access. - For services with user context, each call's resource access is the
intersection of the service-level resource access and the user-level resource
access. The service-level resource access is the
pc.serviceresource access strategy, which has no restrictions. Therefore, logically speaking, a service-with-user-context call has resource access equivalent to the user-level resource access. - For services with service account mapping, the service is mapped to an
internal service account. The
pc.serviceresource access strategy is not used. Rather, the call uses thepc_usernameresource access strategy.