Role-Based Access Controls

Vendia Share provides comprehensive role-based access controls (RBAC) to enable administrators to control the actions users are permitted to take and the resources on which they can operate.

Vendia's RBAC system is designed to be both simple to use and highly secure. It enables system administrators to easily limit who can access their corporate data and code, constrain employee and business partner activities, and secure critical systems from accidental mishandling. Developers using Vendia Share's free tier, however, can largely ignore RBAC while learning the system, because default role permissions and automatic permission boundary management automates away most of the need for explicit permissions management in typical usage scenarios.

Scope of RBAC

RBAC modulates the interaction between Vendia Share users and Vendia Share APIs and resources. RBAC may be used to determine whether a Vendia Share user is permitted to access the data in a Uni. In addition, each Uni node possesses its own user identity and authorization mechanisms, which are outside the scope of RBAC.

Key Terms

  • Actions: Actions express the right to call one or more Vendia Share APIs. For example, USER_GET expresses the right to call the getUser GraphQL query in the Vendia Share API. For convenience, actions such as USER_ALL and UNI_ALL may be used to convey, "all user-related APIs" and "all Uni-related APIs", respectively.

  • Capabilities: A capability is a mapping from actions to sets of resources. For example, the default role for a user includes capabilities to create unis in the default Uni namespace and perform operations on unis in which the caller has at least one node.

  • Default Role: Each Vendia user is assigned a default role, which will be used to determine their capabilities for any API call not provided with an explicit role.

  • Resources: Resources determine the object(s) to which an action can be applied. (There may be more than one resource listed per action.) For example, an action such as UNI_GET might have two resources, test1.unis.vendia.net and test2.unis.vendia.net, permitting the owner of that role to access information about either the test1 or the test2 uni.

  • Roles: Roles are named sets of capabilities. When a call is made to any Vendia Share API, the caller's role is used to determine if the action is legal, i.e. whether the caller is authorized to perform it. A role can be provided explicitly; if no role is provided, the caller's default role will be used instead.

Actions

User Actions

Vendia Share supports the following actions on user accounts:

  • USER_GET: Permits calling getUser to retrieve user account details. USER_GET also determines which users are included when listing users.
  • USER_CREATE: Permits calling createUser, allowing the owner to make new accounts on the Vendia Share system.
  • USER_DELETE: Permits calling deleteUser, allowing the owner to remove existing accounts from the Vendia Share system.
  • USER_SET_EMAIL: Permits calling setUserEmail.
  • USER_SET_ROLE: Permits calling setUserRole, allowing the caller to assign new roles or replace existing roles for themselves or other users.
  • USER_DELETE_ROLE: Permits calling deleteUserRole, allowing the caller to remove roles from themselves or other users.
  • USER_INVITE: Permits the owner to invite users to join an existing Uni. Note that inviting a new node to join an existing uni requires two types of permission:
  • The right to call invite for the uni in question
  • The right to invite the user (owner) of the new node.
  • USER_ALL: Convenience setting - permits all of the user actions listed above.

Apart from USER_INVITE, user actions are typically reserved for administrators.

To comply with GDPR, CCPA, and similar regulations, every user on the Vendia system is automatically granted USER_GET and USER_SET_EMAIL for themselves; these rights cannot be removed.

Uni Actions

Vendia Share supports the following actions on Unis:

  • UNI_GET: Permits calling getUni to retrieve user account details. UNI_GET also determines which unis are included when listing unis.
  • UNI_CREATE: Permits calling register to create new unis.
  • UNI_DELETE: Permits calling destroy to delete existing unis.
  • UNI_RESET: Permits calling reset on an existing uni to reset it to its state immediately after initial deployment.
  • UNI_JOIN: Permits calling join to create a new node in an existing uni.
  • UNI_INVITE: Permits calling invite on an existing uni. Note that inviting a new node to join an existing uni requires two types of permission: the right to call invite for the uni in question and the right to invite the user (owner) of the new node.
  • UNI_DELETE_NODE: Permits calling leave on an existing uni. (Normally this is performed by the owner of the node, but RBAC can express the right to remove nodes owned by others.)
  • UNI_MUTATE: Grants access to update the Uni's settings
  • UNI_EVOLVE_SCHEMA: Permits updating the Uni's schema
  • UNI_ALL: Convenience setting - permits all of the uni actions listed above.

Organization Actions

Vendia Share supports the following actions on Organizations:

  • ORG_GET: Permits fetching an organization
  • ORG_LIST_USERS: Permits retrieving all of the users in the organization and their roles
  • ORG_ALL: Convenience setting - permits all of the org actions listed above

Data Actions

Vendia Share supports the following actions for data stored with a Node

  • DATA_READ: Permits reading the data in a Node (eg. executing queries/subscriptions)
  • DATA_ALL: Permits read/writing/admin access on data in a Node (eg. executing all queries and mutations)

Resource Formats

Name Resources

Vendia Share users are identified by the current email address associated with their Vendia account. '*' may be used as a wildcard, or to indicate that no subdomain is required. Examples:

  • mary@acme.com: user Mary in the acme.com domain
  • *@acme.com: any user in the acme.com domain
  • *@*.acme.com: same as the above
  • *@sub.acme.com: any user in the sub subdomain of acme.com.

All user commands (getuser, userSetEmail, etc.) require resources using name formats.

JSON Example:

{
  "action": "USER_ALL",
  "resources": ["NameResource(*@acme.com)"] // Access to all users with the acme.com domain
}

Uni Resources

Uni commands can take one of several forms:

  • Name Format: using a name format where a uni resource is expected has the meaning of "this user is an owner of at least one node in the Uni"

  • <UNI_NAME>.<SUBDOMAIN>.<DOMAIN>.<EXT>: the Uni's fully qualified name; '*' may be used as a wildcard for any portion of the name.

  • <UNI_NAME>.<SUBDOMAIN>.<DOMAIN>.<EXT>#<NODE_NAME>: a specific node in a Uni

  • mary@acme.com: any Uni where mary@acme.com owns at least one node

  • test.unis.acme.com: a Uni named test in the namespace operated by acme.com in the subdomain unis.

  • foo.*.acme.com#bar: the node bar in the uni foo in the namespace owned by Acme.com. The subdomain may be present or absent; either way it is ignored.

  • *.acme.com: every uni in the namespace owned by Acme.com.

JSON Example:

{
  "action": "UNI_GET",
  "resources": [
    "VendiaResource(owned)", // Access to all Unis that the user owns
    "UniResource(*.unis.acme.com)", // Access to all Unis in the unis.acme.com namespace
    "UniResource(my-uni.unis.foo.com)", // Specific access to my-uni.unis.foo.com
    "UniResourc(another-uni.unis.bar.com#NodeOne)" // Very specific access to a single Node in the Uni another-uni.unis.bar.com
  ]
}

Data Access

Data access requires the Vendia Resource path style:

  • <ORGANIZATION_ID>/<UNI_NAME>/<NODE_NAME>: This includes the unique organization ID, the Uni's fully qualified name, and the Node name. The wildcard /* may be used in any portion of the name.

JSON Example:

// Acme's organization ID is 730c2b51-7a7a-42a2-a192-8bef734a95a1
// Foo's organization ID is 2fa4bc9d-7d62-4ad6-8d07-4b021bce762b
{
  "action": "DATA_READ",
  "resources": [
    "VendiaResource(730c2b51-7a7a-42a2-a192-8bef734a95a1/my-uni.unis.acme.com/*)", // Access to all Nodes owned by Acme in the my-uni.acme.com Uni
    "VendiaResource(730c2b51-7a7a-42a2-a192-8bef734a95a1/another-uni.unis.acme.com/NodeOne)" // Access to only NodeOne in the another-uni.acme.com Uni
    "VendiaResource(2fa4bc9d-7d62-4ad6-8d07-4b021bce762b/*)" // Access to all Nodes owned by Foo in all of Foo's Unis
  ]
}

Permission Boundaries

Vendia Share's RBAC system includes a built-in permission boundary feature that prevents escalation of privileges. Permission boundaries impact administrative features, such as USER_SET_ROLE. Without a permission boundary, users would be allowed to escalate their privileges.

To prevent this from happening, the effect of calling setUserRole is required to be a subset of the role of the caller. In other words, users cannot create or alter roles to be more powerful than themselves. As an example, an administrator with UNI_ALL: *.*.acme.com rights would be allowed to grant UNI_GET: test1.*.acme.com to another user (or themselves), but could not grant UNI_GET: test1.*.other_domain.com to any user.

Permission boundaries are enforced automatically - no user action is required.

Assigning permissions in the Share UI

An organization administrator with the appropriate permissions may modify other users' roles in the Share UI by navigating to My Organization > Members > Select Member. The admin user may select from a list of pre-defined roles to assign to the user.

Screenshot of user permissions view in the Share UI

Assigning permission in the Share CLI

Using the Share CLI, an organization administrator with the appropriate permission may assign a user a custom role. For more information, visit the CLI documentation

policy.json

{
  "name": "default",
  "capabilities": [
    {
      "action": "ORG_GET",
      "resources": [
        "OrganizationResource(730c2b51-7a7a-42a2-a192-8bef734a95a1)"
      ]
    },
    {
      "action": "ORG_LIST_USERS",
      "resources": [
        "OrganizationResource(730c2b51-7a7a-42a2-a192-8bef734a95a1)"
      ]
    },
    {
      "action": "UNI_JOIN",
      "resources": ["UniResource(*.unis.acme.com#*)"]
    },
    {
      "action": "UNI_CREATE",
      "resources": ["UniResource(*.unis.acme.com#*)"]
    },
    {
      "action": "UNI_GET",
      "resources": [
        "VendiaResource(owned)",
        "UniResource(*.unis.acme.com#*)"
      ]
    },
    {
      "action": "UNI_MUTATE",
      "resources": ["VendiaResource(owned)"]
    },
    {
      "action": "UNI_EVOLVE_SCHEMA",
      "resources": ["VendiaResource(owned)"]
    },
    {
      "action": "UNI_INVITE",
      "resources": ["VendiaResource(owned)"]
    },
    {
      "action": "UNI_RESET",
      "resources": ["VendiaResource(owned)"]
    },
    {
      "action": "UNI_DELETE",
      "resources": ["VendiaResource(owned)"]
    },
    {
      "action": "UNI_DELETE_NODE",
      "resources": ["VendiaResource(owned)"]
    },
    {
      "action": "USER_INVITE",
      "resources": ["NameResource(*@*.*.*)"]
    }
  ]
}
share auth role set ./policy.json --user test@acme.com

Types of Users and Default Roles

Often, Vendia Share users are referred to as "normal" or "administrator" depending on their privileges. However, the privileges of individual users may vary from company to company and even among accounts. For instance, an administrator for acme.com may decide that its users should not be permitted to call destroy or reset, because these actions potentially cause loss of data. Other companies may grant their users both privileges, or grant it only for unis in a development subdomain but not in the production subdomain.

Default users operating in the Vendia Share free tier have access to only the default namespace, *.unis.vendia.com. Up to the available (per-user) limits, they can create new Unis and nodes in this namespace and have access to call any API on the Unis in which they own at least one node. Free tier users do not possess any user privileges except for the "built-in" right to view and update their own user account information and invite other free tier users to join their Unis.

The privileges of a default user operating under an enterprise agreement varies depending on the setup requested by the company's Vendia account administrator. The initial user account created for enterprise agreements is typically an administrator account, with full permission to create new users and roles in one or more corporate-owned namespaces. For more information on enterprise configuration, contact Vendia sales or email support@vendia.net.