GuidesAPI Reference
Guides
  1. HERE Identity and Access Management
  2. Manage authorization

Manage permissions and organization settings

Requests, permissions, and organizational settings provide you with a way of managing access for your users and apps in your organization.

Service requests

There are two types of requests that can be made to HERE platform services:

Permissions

There are three types of permissions controlling access to the HERE platform:

  • unscoped - Provides access to services and resources outside of projects.
  • scoped - Provides access to services and resources linked or created in projects.
  • linkable - Represents services and resources available to be linked to projects for scoped access.

Organization settings

These settings define which category of permissions are available in which types of requests for users and apps in your organization.

There are three options available:

  • open
  • strict
  • closed

Open

With the open setting enabled:

All users and apps in your organization have access to all services and resources which are available to your organization through your subscriptions.

Unscoped requests can access:

  • services and resources available by unscoped permissions.
  • services and resources available by project scoped permissions for any project of which the caller is a member.
  • services and resources available by linkable permissions (even if they aren't linked to any projects).

Scoped requests can access:

  • services and resources available by unscoped permissions.
  • services and resources available by scoped permissions of the scoped project.
  • services and resources linkable to the scoped project (even if they aren't linked to any projects).
📘

Note

You can restrict users for access to within a project, without affecting the organization's behavior. This allows the user to continue access all resources added to the organization. You can also continue to use projects to track usage for resources within the project.

Strict

🚧

Caution

The strict setting is intended for users who are familiar with the HERE platform and the constructs of projects, and who require additional access control for resources.

With the strict setting enabled:

All users and apps in your organization can access all services and resources that are available to your organization through your subscriptions. In most cases, properly configuring projects and using the correct project scoped request is a requirement.

  • Unscoped requests can be used to access services and resources available using unscoped permissions.
  • Scoped requests can be used to access services and resources available through scoped permissions of the scoped project.

Access to services and resources available only by linkable permissions, requires correctly configuring a project, linking the resource to the project, and adding the correct project members.

This setting provides powerful granular control to administrators and resources owners within your organization to limit which users or apps can access services and resources.

Projects allow for a demarcation between user access for resources. This allows an org admin to separate resources so that only specific users and apps can have access to specific resources. The following are examples of this. Examples:

  • You need to restrict specific resources to one project for cost purposes. For example, when you restrict a resource (pipeline, catalog, service, and schema) such as HERE Map Attributes, it is only available to the app IDs linked to this project. You get a "deny decision" if not using a project scoped token to access this service.
  • You need to restrict users from access to resources within a project. If a user is not added to a project when using strict org settings, that user isn't able to access the resources linked to that project.
📘

Note

Users with admin privileges can always create their own separate projects and add resources to that project to access those resources.

Closed

📘

Note

If the closed setting is enabled, all users and apps in your organization are, by default, restricted from accessing any resources or services. Any resources and services available through the organization subscription can only be provided to identities through access filters.

By default, closed organization settings perform the following actions:

  • Blocks all access by all identities using any unscoped or scoped request.
  • Requires an identity to be explicitly assigned an Access Filter to override.
  • Org Admin and other roles already have some overrides built in via Access Filters assigned to the role.
  • Access Filters may be assigned to Users or Apps

For more information about Access Filters, see the documentation.

Updated last month