Control resource access with Access Filters
An Access Filter is an IAM resource that defines a permission boundary for access requests. Access filters can be applied to certain types of entities, including:
- Realms
- Users
- Apps
- Roles
In the closed organization setting, admins must add at least one access filter before any identity can access resources and services. Additionally, access filters can only grant access to an organization's subscribed resources and services.
Admins can assign up to five Access Filters to an individual identity.
Behavior
When an identity restricted with an Access Filter makes an access request, the request must pass one of the filters in order to continue through the evaluation process.
An Access Filter contains a list of statements that determine how it evaluates access requests. The following table gives an outline of a statement:
| Property | Description |
|---|---|
permissions | One of unscoped, scoped, or linkable. • unscoped provides access to services and resources outside of projects. • scoped only provides access to services and resources linked or created in projects. • linkable designates services and resources available to be linked to projects for scoped access. |
service | The serviceId sent in the access request. |
action | The action sent in the access request. A filter should have one of either action or actionAccessLevel. |
actionAccessLevel | The access level of the action in the request. A filter should have one of either action or actionAccessLevel. |
resource | Optional. The resource in the access request. |
scope | Optional. The scope of the access request. |
evaluate | This statement determines whether to evaluate the permissions that match. Available values are true or false. |
priority | An integer representing the statement priority. Possible values range from 0 to 1000, with 1000 being the highest priority. |
Every access request is checked against any applicable Access Filters. This includes any Access Filter attached to the requester, the requester's realm, or any of the requester's roles.
Each statement in the Access Filter that matches the requested service, action, resource, and scope is collected and sorted according to the configured priority value. The statement with the highest priority is then used to evaluate the request. If this statement's evaluate value is true, the statement's corresponding permissions category is evaluated in the access request. Otherwise, the category is skipped.
If multiple statements match, and all have the same priority, but have different values for evaluate, whichever evaluation returns true takes precedence over the others, and that category of permissions is evaluated.
Access Filter Types
Three types of access filters can be assigned to an identity. Each identity can have a maximum of five filters, but this can include any combination of the three filter types.
Platform Access Filters
Predefined access filters are the default filters on the HERE platform. These filters are based on roles assignable to users or apps, such as OrgAdmin or ResourceManager, and reflect the abilities and restrictions of those roles.
"open", "strict", and "closed" filters are also categorized as platform access filters and these can be attached to users or apps as well.
Custom Access Filters
Custom Access Filters offer more granular and expressive control on the resources and services that can an identity can access. For example, you can use a wildcard character * in a filter statement to evaluate an identity's ability to access any or all of the resources, actions, or services available in a realm. This includes any resource or service available to the organization via a subscription.
Virtual Access Filters
Virtual Access Filters use subscription information to enable the creation of an access filter without designating the resources or services to be provided. If an organization has multiple subscriptions, each subscription can have its own virtual access filter.
Filter Assignment
Access filters can be assigned based on an entity's organization, role type, or directly to the entity itself.
- Org - Realm-based filters are also known as organization settings. The three available access filters are
open,strict, andclosed. - User/App - Direct assignment of access filters to users and AppIDs by using any of the three access filter types as shown in the section above. Up to 5 access filters can be assigned to an identity.
- Role - Pre-defined access filters for roles that are automatically provided to a user/app when a role is assigned to that identity. For example, an OrgAdmin will have the Org level access filter of “Strict”, and so any user or app with this role will have access to all resources and services available in the realm. Other roles have their access as described by the permissions provided here. These access filters are predefined and cannot be edited.
Examples
Strict
The following example demonstrates the behavior of system set to strict, wherein any unscoped request only evaluates unscoped permissions, and scoped requests only evaluate scoped permissions. The linkable permission type is never evaluated in any direct decision call.
{
"hrn": "hrn:here:authorization::HERE:platform:filter/strict",
"name": "Strict",
"statements": [
{
"description": "Allow unscoped permissions for any unscoped request with resource",
"permissions": "unscoped",
"service": "*",
"actions": [
"*"
],
"resource": "*",
"evaluate": true,
"priority": 0
},
{
"description": "Allow unscoped permissions for any unscoped request without resource",
"permissions": "unscoped",
"service": "*",
"actions": [
"*"
],
"evaluate": true,
"priority": 0
},
{
"description": "Allow scoped permissions for any scoped request with resource",
"permissions": "scoped",
"service": "*",
"actions": [
"*"
],
"resource": "*",
"scope": "*",
"evaluate": true,
"priority": 0
},
{
"description": "Allow scoped permissions for any scoped request without resource",
"permissions": "scoped",
"service": "*",
"actions": [
"*"
],
"scope": "*",
"evaluate": true,
"priority": 0
},
{
"description": "Deny linkable permissions for any scoped request with resource",
"permissions": "linkable",
"service": "*",
"actions": [
"*"
],
"resource": "*",
"scope": "*",
"evaluate": false,
"priority": 0
},
{
"description": "Deny linkable permissions for any scoped request without resource",
"permissions": "linkable",
"service": "*",
"actions": [
"*"
],
"scope": "*",
"evaluate": false,
"priority": 0
},
{
"description": "Deny linkable permissions for any unscoped request with resource",
"permissions": "linkable",
"service": "*",
"actions": [
"*"
],
"resource": "*",
"evaluate": false,
"priority": 0
},
{
"description": "Deny linkable permissions for any unscoped request without resource",
"permissions": "linkable",
"service": "*",
"actions": [
"*"
],
"evaluate": false,
"priority": 0
}
],
"type": "here-platform"
}Default Allow
This filter gives any request, whether scoped or unscoped, access to all three categories of available privileges.
{
"hrn": "hrn:here:authorization::HERE:platform:filter/open",
"name": "Open",
"statements": [
{
"description": "Allow unscoped permissions for any unscoped request without resource",
"permissions": "unscoped",
"service": "*",
"actions": [
"*"
],
"evaluate": true,
"priority": 0
},
{
"description": "Allow scoped permissions for any unscoped request without resource",
"permissions": "scoped",
"service": "*",
"actions": [
"*"
],
"evaluate": true,
"priority": 0
},
{
"description": "Allow linkable permissions for any unscoped request without resource",
"permissions": "linkable",
"service": "*",
"actions": [
"*"
],
"evaluate": true,
"priority": 0
},
{
"description": "Allow unscoped permissions for any unscoped request with resource",
"permissions": "unscoped",
"service": "*",
"actions": [
"*"
],
"resource": "*",
"evaluate": true,
"priority": 0
},
{
"description": "Allow scoped permissions for any unscoped request with resource",
"permissions": "scoped",
"service": "*",
"actions": [
"*"
],
"resource": "*",
"evaluate": true,
"priority": 0
},
{
"description": "Allow linkable permissions for any unscoped request with resource",
"permissions": "linkable",
"service": "*",
"actions": [
"*"
],
"resource": "*",
"evaluate": true,
"priority": 0
},
{
"description": "Allow unscoped permissions for any scoped request without resource",
"permissions": "unscoped",
"service": "*",
"actions": [
"*"
],
"scope": "*",
"evaluate": true,
"priority": 0
},
{
"description": "Allow scoped permissions for any scoped request without resource",
"permissions": "scoped",
"service": "*",
"actions": [
"*"
],
"scope": "*",
"evaluate": true,
"priority": 0
},
{
"description": "Allow linkable permissions for any scoped request without resource",
"permissions": "linkable",
"service": "*",
"actions": [
"*"
],
"scope": "*",
"evaluate": true,
"priority": 0
},
{
"description": "Allow unscoped permissions for any scoped request with resource",
"permissions": "unscoped",
"service": "*",
"actions": [
"*"
],
"resource": "*",
"scope": "*",
"evaluate": true,
"priority": 0
},
{
"description": "Allow scoped permissions for any scoped request with resource",
"permissions": "scoped",
"service": "*",
"actions": [
"*"
],
"resource": "*",
"scope": "*",
"evaluate": true,
"priority": 0
},
{
"description": "Allow linkable permissions for any scoped request with resource",
"permissions": "linkable",
"service": "*",
"actions": [
"*"
],
"resource": "*",
"scope": "*",
"evaluate": true,
"priority": 0
}
],
"type": "here-platform"
} Default Deny
This filter denies all access, both scoped and unscoped, to any request seeking access to the three categories of available privileges.
{
"hrn": "hrn:here:authorization::HERE:platform:filter/closed",
"name": "Closed",
"statements": [
{
"description": "Deny unscoped permissions for any unscoped request with resource",
"permissions": "unscoped",
"service": "*",
"actions": [
"*"
],
"resource": "*",
"evaluate": false,
"priority": 0
},
{
"description": "Deny unscoped permissions for any unscoped request without resource",
"permissions": "unscoped",
"service": "*",
"actions": [
"*"
],
"evaluate": false,
"priority": 0
},
{
"description": "Deny scoped permissions for any scoped request with resource",
"permissions": "scoped",
"service": "*",
"actions": [
"*"
],
"resource": "*",
"scope": "*",
"evaluate": false,
"priority": 0
},
{
"description": "Deny scoped permissions for any scoped request without resource",
"permissions": "scoped",
"service": "*",
"actions": [
"*"
],
"scope": "*",
"evaluate": false,
"priority": 0
},
{
"description": "Deny linkable permissions for any scoped request with resource",
"permissions": "linkable",
"service": "*",
"actions": [
"*"
],
"resource": "*",
"scope": "*",
"evaluate": false,
"priority": 0
},
{
"description": "Deny linkable permissions for any scoped request without resource",
"permissions": "linkable",
"service": "*",
"actions": [
"*"
],
"scope": "*",
"evaluate": false,
"priority": 0
},
{
"description": "Deny linkable permissions for any unscoped request with resource",
"permissions": "linkable",
"service": "*",
"actions": [
"*"
],
"resource": "*",
"evaluate": false,
"priority": 0
},
{
"description": "Deny linkable permissions for any unscoped request without resource",
"permissions": "linkable",
"service": "*",
"actions": [
"*"
],
"evaluate": false,
"priority": 0
}
],
"type": "here-platform"
} Updated last month