Role-Based Access Controls
Vendia Share provides comprehensive role-based access controls (RBAC) to enable administrators to control the actions users are permitted to take and the resources on which they can operate.
Vendia’s RBAC system is designed to be both simple to use and highly secure. It enables system administrators to easily limit who can access their corporate data and code, constrain employee and business partner activities, and secure critical systems from accidental mishandling. Developers using Vendia Share’s free tier, however, can largely ignore RBAC while learning the system, because default role permissions and automatic permission boundary management automates away most of the need for explicit permissions management in typical usage scenarios.
Scope of RBAC
RBAC modulates the interaction between Vendia Share users and Vendia Share APIs and resources. RBAC may be used to determine whether a Vendia Share user is permitted to access the data in a Uni. In addition, each Uni node possesses its own user identity and authorization mechanisms, which are outside the scope of RBAC.
Key Terms
-
Actions: Actions express the right to call one or more Vendia Share APIs. For example,
USER_GET
expresses the right to call thegetUser
GraphQL query in the Vendia Share API. For convenience, actions such asUSER_ALL
andUNI_ALL
may be used to convey, “all user-related APIs” and “all Uni-related APIs”, respectively. -
Capabilities: A capability is a mapping from actions to sets of resources. For example, the default role for a user includes capabilities to create unis in the default Uni namespace and perform operations on unis in which the caller has at least one node.
-
Default Role: Each Vendia user is assigned a default role, which will be used to determine their capabilities for any API call not provided with an explicit role.
-
Resources: Resources determine the object(s) to which an action can be applied. (There may be more than one resource listed per action.) For example, an action such as
UNI_GET
might have two resources,test1.unis.vendia.net
andtest2.unis.vendia.net
, permitting the owner of that role to access information about either thetest1
or thetest2
Uni. -
Roles: Roles are named sets of capabilities. When a call is made to any Vendia Share API, the caller’s role is used to determine if the action is legal, i.e. whether the caller is authorized to perform it. A role can be provided explicitly; if no role is provided, the caller’s default role will be used instead.
Actions
User Actions
Vendia Share supports the following actions on user accounts:
USER_GET
: Permits calling getUser to retrieve user account details.USER_GET
also determines which users are included when listing users.USER_CREATE
: Permits calling createUser, allowing the owner to make new accounts on the Vendia Share system.USER_DELETE
: Permits calling deleteUser, allowing the owner to remove existing accounts from the Vendia Share system.USER_SET_EMAIL
: Permits calling setUserEmail.USER_SET_ROLE
: Permits calling setUserRole, allowing the caller to assign new roles or replace existing roles for themselves or other users.USER_DELETE_ROLE
: Permits calling deleteUserRole, allowing the caller to remove roles from themselves or other users.USER_INVITE
: Permits the owner to invite users to join an existing Uni. Note that inviting a new node to join an existing Uni requires two types of permission:- The right to call invite for the Uni in question
- The right to invite the user (owner) of the new node.
USER_DEACTIVATE
: Permits deactivating a user account or viewing the list of deactivated users.USER_ALL
: Convenience setting - permits all of the user actions listed above.
Apart from USER_INVITE
, user actions are typically reserved for administrators.
To comply with GDPR, CCPA, and similar regulations, every user on the Vendia system is automatically granted USER_GET
and USER_SET_EMAIL
for themselves; these rights cannot be removed.
Uni Actions
Vendia Share supports the following actions on Unis:
UNI_GET
: Permits calling getUni to retrieve user account details.UNI_GET
also determines which unis are included when listing unis.UNI_CREATE
: Permits callingregister
to create new unis.UNI_DELETE
: Permits callingdestroy
to delete existing unis.UNI_RESET
: Permits callingreset
on an existing Uni to reset it to its state immediately after initial deployment.UNI_JOIN
: Permits callingjoin
to create a new node in an existing Uni.UNI_INVITE
: Permits callinginvite
on an existing Uni. Note that inviting a new node to join an existing Uni requires two types of permission:- The right to call invite for the Uni in question and the right to invite
- The user (owner) of the new node.
UNI_DELETE_NODE
: Permits callingleave
on an existing Uni. (Normally this is performed by the owner of the node, but RBAC can express the right to remove nodes owned by others.)UNI_MUTATE
: Grants access to update the Uni’s settingsUNI_EVOLVE_SCHEMA
: Permits updating the Uni’s schemaUNI_ALL
: Convenience setting - permits all of the Uni actions listed above.
Organization Actions
Vendia Share supports the following actions on Organizations:
ORG_GET
: Permits fetching an organizationORG_LIST_USERS
: Permits retrieving all of the users in the organization and their rolesORG_ALL
: Convenience setting - permits all of the org actions listed above
Data Actions
Vendia Share supports the following actions for data stored with a Node
DATA_READ
: Permits reading the data in a Node (eg. executing queries/subscriptions)DATA_ALL
: Permits read/writing/admin access on data in a Node (eg. executing all queries and mutations)
Resource Formats
Name Resources
Vendia Share users are identified by the current email address associated with their Vendia account. ’*’ may be used as a wildcard, or to indicate that no subdomain is required. Examples:
mary@acme.com
: user Mary in theacme.com
domain*@acme.com
: any user in theacme.com
domain*@*.acme.com
: same as the above*@sub.acme.com
: any user in thesub
subdomain ofacme.com
All user commands (getuser, userSetEmail, etc.) require resources using name formats.
JSON Example:
{ "action": "USER_ALL", "resources": ["NameResource(*@acme.com)"] // Access to all users with the acme.com domain}
Uni Resources
Uni commands can take one of several forms:
- Name Format: using a name format where a Uni resource is expected has the meaning of “this user is an owner of at least one node in the Uni”
<UNI_NAME>.<SUBDOMAIN>.<DOMAIN>.<EXT>
: the Uni’s fully qualified name; ’*’ may be used as a wildcard for any portion of the name<UNI_NAME>.<SUBDOMAIN>.<DOMAIN>.<EXT>#<NODE_NAME>
: a specific node in a Unimary@acme.com
: any Uni wheremary@acme.com
owns at least one nodetest.unis.acme.com
: a Uni namedtest
in the namespace operated byacme.com
in the subdomainunis
foo.*.acme.com#bar
: the nodebar
in the Unifoo
in the namespace owned byAcme.com
. The subdomain may be present or absent; either way it is ignored*.acme.com
: every Uni in the namespace owned byAcme.com
JSON Example:
{ "action": "UNI_GET", "resources": [ "VendiaResource(owned)", // Access to all Unis that the user owns "UniResource(*.unis.acme.com)", // Access to all Unis in the unis.acme.com namespace "UniResource(my-uni.unis.foo.com)", // Specific access to my-uni.unis.foo.com "UniResource(another-uni.unis.bar.com#NodeOne)" // Very specific access to a single Node in the Uni another-uni.unis.bar.com ]}
Data Access
Data access requires the Vendia Resource path style:
<ORGANIZATION_ID>/<UNI_NAME>/<NODE_NAME>
: This includes the unique organization ID, the Uni’s fully qualified name, and the Node name. The wildcard/*
may be used in any portion of the name.
JSON Example:
// Acme's organization ID is 730c2b51-7a7a-42a2-a192-8bef734a95a1// Foo's organization ID is 2fa4bc9d-7d62-4ad6-8d07-4b021bce762b{ "action": "DATA_READ", "resources": [ "VendiaResource(730c2b51-7a7a-42a2-a192-8bef734a95a1/my-uni.unis.acme.com/*)", // Access to all Nodes owned by Acme in the my-uni.acme.com Uni "VendiaResource(730c2b51-7a7a-42a2-a192-8bef734a95a1/another-uni.unis.acme.com/NodeOne)", // Access to only NodeOne in the another-uni.acme.com Uni "VendiaResource(2fa4bc9d-7d62-4ad6-8d07-4b021bce762b/*)" // Access to all Nodes owned by Foo in all of Foo's Unis ]}
Permission Boundaries
Vendia Share’s RBAC system includes a built-in permission boundary feature that prevents escalation of privileges. Permission boundaries impact administrative features, such as USER_SET_ROLE
. Without a permission boundary, users would be allowed to escalate their privileges.
To prevent this from happening, the effect of calling setUserRole
is required to be a subset of the role of the caller. In other words, users cannot create or alter roles to be more powerful than themselves.
As an example, an administrator with UNI_ALL
: *.*.acme.com
rights would be allowed to grant UNI_GET
: test1.*.acme.com
to another user (or themselves), but could not grant UNI_GET
: test1.*.other_domain.com
to any user.
Permission boundaries are enforced automatically - no user action is required.
Assigning permissions in the Share UI
An organization administrator with the appropriate permissions may modify other users’ roles in the Share UI by navigating to My Organization > Members > Select Member. The admin user may select from a list of pre-defined roles to assign to the user.
Assigning permission in the Share CLI
Using the Share CLI, an organization administrator with the appropriate permission may assign a user a custom role. For more information, visit the CLI documentation
policy.json
{ "name": "default", "capabilities": [ { "action": "ORG_GET", "resources": [ "OrganizationResource(730c2b51-7a7a-42a2-a192-8bef734a95a1)" ] }, { "action": "ORG_LIST_USERS", "resources": [ "OrganizationResource(730c2b51-7a7a-42a2-a192-8bef734a95a1)" ] }, { "action": "UNI_JOIN", "resources": ["UniResource(*.unis.acme.com#*)"] }, { "action": "UNI_CREATE", "resources": ["UniResource(*.unis.acme.com#*)"] }, { "action": "UNI_GET", "resources": ["VendiaResource(owned)", "UniResource(*.unis.acme.com#*)"] }, { "action": "UNI_MUTATE", "resources": ["VendiaResource(owned)"] }, { "action": "UNI_EVOLVE_SCHEMA", "resources": ["VendiaResource(owned)"] }, { "action": "UNI_INVITE", "resources": ["VendiaResource(owned)"] }, { "action": "UNI_RESET", "resources": ["VendiaResource(owned)"] }, { "action": "UNI_DELETE", "resources": ["VendiaResource(owned)"] }, { "action": "UNI_DELETE_NODE", "resources": ["VendiaResource(owned)"] }, { "action": "USER_INVITE", "resources": ["NameResource(*@*.*.*)"] } ]}
share auth role set ./policy.json --user test@acme.com
Types of Users and Default Roles
Often, Vendia Share users are referred to as “normal” or “administrator” depending on their privileges. However, the privileges of individual users may vary from company to company and even among accounts. For instance, an administrator for acme.com may decide that its users should not be permitted to call destroy
or reset
, because these actions potentially cause loss of data. Other companies may grant their users both privileges, or grant it only for unis in a development subdomain but not in the production subdomain.
Default users operating in the Vendia Share free tier have access to only the default namespace, *.unis.vendia.com
. Up to the available (per-user) limits, they can create new Unis and nodes in this namespace and have access to call any API on the Unis in which they own at least one node. Free tier users do not possess any user privileges except for the “built-in” right to view and update their own user account information and invite other free tier users to join their Unis.
The privileges of a default user operating under an enterprise agreement varies depending on the setup requested by the company’s Vendia account administrator. The initial user account created for enterprise agreements is typically an administrator account, with full permission to create new users and roles in one or more corporate-owned namespaces. For more information on enterprise configuration, contact Vendia sales or email support@vendia.net.
Role Based Row Level Security for Reads
NOTE: Available in SQL-Enabled Unis Only
Vendia Share supports role based row-level security (RLS), also known as conditional_roles
for reading data via GraphQL in SQL-Enabled Unis. RLS allows you to restrict read access to rows in an entity based on the role characteristics of the user executing a query.
Usage
To implement RLS, add conditions
to the DATA_ALL
or DATA_READ
policy definition in the role. These conditions complement existing permissions by adding an additional layer of filtering to restrict access based on specific criteria. They do not override other permissions but work in conjunction with them to refine access control.
policy.json
{ "DATA_ALL": { "action": "DATA_ALL", "resources": ["NameResource(*@acme.com)"], "conditions": [ { "entityName": "Inventory", "operation": "EQ", "key": "itemName", "value": "test_1" } ] }, "DATA_READ": { "action": "DATA_READ", "resources": ["NameResource(*@acme.com)"], "conditions": [ { "entityName": "Inventory", "operation": "EQ", "key": "itemName", "value": "test_1" } ] }}
Parameters
entityName
: The name of the entity in the Uni schema for which you want to restrict access.operation
: The operation to be performed on the entity. Currently, onlyEQ
(equals) is supported.key
: The name of the field in the entity on which the filter will be applied.value
: The value of the field on which the filter will be applied.
Warning: If the value of the
entityName
in theconditions
definition does not correctly match the entity in the system (e.g., due to a typo), theconditional_role
will be ignored, and the user will receive unfiltered data.
This behavior will not generate any error or warning in the logs. Users must carefully verify theirentityName
values to avoid unintended access.
The above condition will restrict the user to only read rows in the Inventory
entity where the itemName
is test_1
.
Users can create filters on multiple fields of the same entity, and this will result in itemName == test_1 AND color == black
.
policy.json
{ "DATA_ALL": { "action": "DATA_ALL", "resources": ["NameResource(*@acme.com)"], "conditions": [ { "entityName": "Inventory", "operation": "EQ", "key": "itemName", "value": "test_1" }, { "entityName": "Inventory", "operation": "EQ", "key": "color", "value": "black" } ] }}
Note: Refer to the warning above regarding typos in
entityName
values.
Limitations
- RLS is only supported in SQL-Enabled Unis.
- These conditions are applicable only to read operations, such as
get
orlist
queries. - These conditions do not apply to mutations (i.e.,
add
,remove
,create
,delete
,put
, orupdate
).- For example, if a user has a condition restricting read access to data in the
Inventory
entity with keyitemName
and valuetest_1
:- They will not see data in the
Inventory
entity whereitemName
istest_1
in query results. - However, they can still perform mutations on data in the
Inventory
entity whereitemName
istest_1
.
- They will not see data in the
- This means that while the user cannot view data within the restricted entity due to the conditions, they are still able to modify or delete data within the restricted entity if they have the appropriate mutation permissions.
- For example, if a user has a condition restricting read access to data in the
- Entity names must match exactly with the names defined in the schema.
- Typos or incorrect casing will cause the condition to be ignored.
- For example, if the entity name in the schema is
Inventory
, usinginventory
(lowercase) in the condition will cause it to be ignored.
User Deactivation
When a user account is deactivated, the user will no longer be able to log in to Vendia Share. However, any data or resources owned by the user will remain intact and accessible to other users with the appropriate permissions.
Required Permissions for User Deactivation
USER_ALL
orUSER_DEACTIVATE
permission is required to deactivate a user or view/get the list of deactivated users
policy.json
{ "USER_ALL": { "action": "USER_ALL", "resources": ["NameResource(*@acme.com)"], "conditions": [] }, "USER_DEACTIVATE": { "action": "USER_DEACTIVATE", "resources": ["OrganizationResource(730c2b51-7a7a-42a2-a192-8bef734a95a1)"], "conditions": [] }}
Steps to Deactivate a User from the Share UI
-
Navigate to the My Organization page.
-
On the Members overview page, click the member you want to deactivate.
-
Click the
Deactivate Member
button at the bottom of the User overview page of the user selected in the previous step.Note: The
Deactivate Member
button is visible only if the selected member is an active member. It will be hidden for inactive members or for users who lack theUSER_ALL
orUSER_DEACTIVATE
permissions. -
You will be prompted to confirm the deactivation. Type the email address of the member and click
Deactivate
to proceed.Important: Users cannot deactivate themselves even if they have the required permissions.
Steps to View Deactivated Users
Viewing deactivated users can help administrators manage user accounts effectively by identifying inactive members and ensuring proper access control.
- Navigate to the My Organization page.
- On the Members overview page, any user with
USER_ALL
orUSER_DEACTIVATE
permissions can view deactivated users by clicking theShow deactivated members
checkbox.Note: The checkbox is only visible if the current user has
USER_ALL
orUSER_DEACTIVATE
permissions.
User Reactivation
To reactivate a user, please contact Vendia support via support case or via email support@vendia.net. Include the user’s email address, organization ID, and a brief description of the reason for reactivation to expedite the process.