Roles and Policies

Roles and Policies are used to implement access restrictions within Ubiquity Dashboard and Carbon Editor. Within Ubiquity Dashboard - the roles and policies are used to restrict a users access to a specific app.

When a new app user is invited, the relevant role should be applied. The role would define which ubiquity app the user has access to.

To make sure Roles and Policies work perfectly for the app user you need to do the following

Creating Roles and Policies 

1. First thing is to create a policy

2. Go to Access Management - click on policies

3. Click on Add a policy

4. Open

   

   Add name and click on add policy

5. Open

   

   Click on view detail
   
   

6. Click on Edit details and policy statements
   
   

7. Here you get text editor 
   
   

8. And add json text
   Example:
   {

    "schema": "1.0",

    "statements": [

        {

            "sid": "s0-ubi-view-apps",

            "effect": "allow",

            "actions": [

                "list"

            ],

            "resources": [

                "lg:*:cms:st:app/*"

            ],

            "conditions": [

                {

                    "op": "in",

                    "val": [

                        "Test-app"

                    ],

                    "attr": "$resource.attr.slug"

                }

            ]

        }

    ]

}

Here under resources you 

 "lg:*:cms:shg:app/*"

Herę LG - is identifier

• - is the wild card for organisation

CMS - is ubiquity

SHG - organisation slug

App - is the type of thing - app in ubiquity - object type

The second * is the object identifier. - which is the wild card  for listing

Only that would say - you can list all of the apps

But then you add a condition

 "conditions": [

                {

                    "op": "in",

                    "val": [

                        "Test-app"

                    ],

                    "attr": "$resource.attr.slug"

                }

Where you add the condition to attribute of the resource

The condition says -> you are able to see - one thing / one app. 

The val - has the slug of the app 

How to find the slug - 

1. Current way - to check because the the slug is App name - in lowercase and replace the space by hyphens

Policy and Role is needed per app - since policy is attached to the role

Next is to create the role

• Role name - ideally needs consistency 

• And have  app name + editor is a good naming structure 

• Once created - then view details of the role 

• You can see that there is no Policies attached

• So click on manage policy 

• Now you can click and save the policy - here you can add the policy created and save it

USER MANAGEMENT

• Invite people as product admin - so to control the access of managing roles and policies. 

• While inviting you can add the role and save it - so it gets automatically applied.

If you want one role and policy to provide access restrictions to multiple apps

Then all we need to do is add all the apps that needs restriction under conditions

 "conditions": [

                {

                    "op": "in",

                    "val": [

                        "test-app",

“second-test-app”

                    ],

                    "attr": "$resource.attr.slug"

                }