Permissions
The permissions resource describes what a key, and therefore its users, can access. For example, a key might be configured to have the source_type:icloud.account scope which allows its users to create sessions against iCloud accounts.
Every permission is constrained by what the base permissions of the organisation are. It is not possible to create permissions which are beyond what the organisation has access to.
Attributes
| name | type | description |
|---|---|---|
id |
permission ID | Resource identifier. |
resource |
string, always permission |
Resource type specifier. |
organisation |
organisation ID | The organisation these permissions are associated with. |
scopes |
dictionary | The scope to which the permission applies. |
Scopes
The scopes attribute defines what the permissions grant access to. Scopes look like source_type:icloud.account, which would grant permission to create iCloud account sources.
Each scope can have associated limits. These act as restrictions on the permissions granted by the scope. For example, the source_type:icloud.account scope might have a limit:
{ "level": "user", "type": "count", "value": 3 }
This would restrict the number of iCloud account sources a user can create to a maximum of three.
The format of the scopes attribute, give the example above, would be:
{ "source_type:icloud.account": [ { "level": "user", "type": "count", "value": 3 } ] }
Scopes can also include simple wildcards, like task_type:icloud.* which gives permission to use any tasks related to the iCloud service.
Scope types
source_typegives access to specific source types.task_typegives access to specific task types.data_typegives access to specific data types.file_typegives access to specific file types.
Limits
| name | type | description |
|---|---|---|
level |
string | One of: organisation, key, or user. |
type |
dictionary | The scope to which the permission applies. |
A limit can act at one of three different levels: organisation, key, or user. This determines how broadly the limit is applied. For example, a scope may have a limit which restricts the organisation to only 10 iCloud accounts (an organisation level limit) and another limit that restricts each user within that organisation to just 2 iCloud accounts each (a user level limit).
There are three types of limits: count, interval, and inflight. The count type is absolute (i.e. the total count of iCloud accounts every accessed), while interval takes the count over a period of time (i.e. 1 iCloud account per month), and inflight is a concurrency limit (i.e. can only poll 1 iCloud account at a time).