From 7117143b203296a09334fa5970f6a8e110b5bd8c Mon Sep 17 00:00:00 2001 From: Guido Zoli Date: Tue, 19 Nov 2024 17:21:51 +0100 Subject: [PATCH 01/14] feat(fine-grain-rbac): Doc fine-grain RBAC --- .../api-design/limit-user-actions.md | 188 ++++++++++++++++++ 1 file changed, 188 insertions(+) create mode 100644 docs/development_suite/api-console/api-design/limit-user-actions.md diff --git a/docs/development_suite/api-console/api-design/limit-user-actions.md b/docs/development_suite/api-console/api-design/limit-user-actions.md new file mode 100644 index 0000000000..01e8f9be20 --- /dev/null +++ b/docs/development_suite/api-console/api-design/limit-user-actions.md @@ -0,0 +1,188 @@ +# Granular role-based access control + +This feature introduces a mechanism for managing user interactions within the application by restricting specific actions based on user roles and specified rules. + +If a user try to save a configuration after performing some changes that are forbidden by the configured the rules, the saving is blocked and an error is returned. + +*Rules* and *user roles* can be configured at both the Project and the Company levels. +The following logic is applied: + +- **Rules**: project and company rules are combined together without conflict, as only disallow rules are used. +- **User Roles**: If a user has roles assigned at the project level, only those roles are applied. If no project-level roles are assigned, the roles defined at the company level are used instead. + +## Configuration definition + +To enable this feature the `project` or `tenant` `configurationManagement.saveChangesRules` field of the configuration must be set with a list of objects with the following structure: + +| Field | Type | Description | Optional | +| ------------------- | ----------- | --------------------------------------------- | -------- | +| `disallowedRuleSet` | `RuleSet[]` | list of rules that prohibit a specific action | ❌ | +| `roleIds` | `String[]` | List of user roles to which the rules apply | ❌ | + +The `RuleSet` object has these fields: + +| Field | Type | Description | Optional | +| ------------------- | ------------------ | --------------------------------------------------------------- | -------- | +| `jsonPath` | `String` | JSONPath of the resource on which the action must be prevented. | ✅ | +| `processingOptions` | `ProcessingOption` | Additional options of the rule | ✅ | +| `ruleId` | `String` | Reference a to a rule from a predefined set | ✅ | + +___ +A `disallowedRuleSet` can be configured in 3 ways: + +- [Via `jsonPath`](#via-jsonpath) +- [Via `jsonPath` and `processingOptions`](#via-jsonpath-and-processingoptions) +- [Via `ruleId`](#via-ruleid) + +### Via `jsonPath` + +The `jsonPath` field is used to extract the target resource. On this resource the edit operation is prevented. + +### Via `jsonPath` and `processingOptions` + +- The `jsonPath` is used to extract the target resource. +- The `processingOptions` define the `action` (`create`, `delete`) to prevent on the resource. If the resource captured by the jsonPath are of array type, the field `primaryKey` must be specified. + +The `ProcessingOption` object has the following structure: + +| Field | Type | Description | Optional | +| ------------ | ---------- | ---------------------------------------------------------------------------------------------------- | -------- | +| `action` | `string[]` | Action to be prevented on the resource defined via the jsonPath. Possible values: `create`, `delete` | ❌ | +| `primaryKey` | `String` | Primary key of the resource captured by the jsonPath. Mandatory if resource is of array type | ✅ | + +### Via `ruleId` + +The `ruleId` references a rule from a predefined set of rules, that define a specific behavior. + +**The available `ruleIds` are**: + +| `ruleId` | Description | +| ------------------------- | --------------------------------------------------------------------------------------------------- | +| `endpoints.security.edit` | block edit of the fields [`public`, `acl`, `secreted`] of `endpoints` and `routes` inside endpoints | +| | | + +## Configuring Rules Via API + +### Updating rules on a Project + +The API for updating the rules on a Project is defined as follows + +> **NOTE** +> This API is meant for internal use and will be subject to breaking changes. +> + +#### Request + +- verb: `PATCH` +- path: `/api/backend/projects/:projectId/rules` + +**Authentication required** + +##### Body + +The **body** of the request has the structure described in [Configuration definition](#configuration-definition) + +### Updating rules on a Company + +The API for updating the rules on a Companty is defined as follows. + +> **NOTE** +> This API is meant for internal use and will be subject to breaking changes. +> + +#### Request + +- verb: `PATCH` +- path: `/api/backend/tenants/:tenantId/rules` + +Authentication required + +##### Body + +The **body** of the request the structure described in [Configuration definition](#configuration-definition) + +### Examples + +Here are some examples of request bodies for updating Project or Company rules (the body is the same for the two API) + +Prevent edit of the `dockerImage` of all services to the role `maintainer` + +```json +{ + "configurationManagement": { + "saveChangesRules": [ + { + "disallowedRuleSet": [ + { + "jsonPath": "$.services.*.dockerImage" + }, + ], + "roleIds": [ + "maintainer" + ] + } + ] + } +} +``` + +Prevent creation of the resource `secrets` to the role `maintainer` + +```json +{ + "configurationManagement": { + "saveChangesRules": [ + { + "disallowedRuleSet": [ + { + "jsonPath": "$.collections", + "processingOptions": { + "action": "create" + } + } + ], + "roleIds": ["maintainer"] + } + ] + } +} +``` + +Through jsonpath syntax, more complex rules can be configured. The following rule for example prevent the creation of a services of a specific type (`custom-resource`) to the role `maintainer` + +```json +{ + "configurationManagement": { + "saveChangesRules": [ + { + "disallowedRuleSet": [ + { + "jsonPath": "$.services.[?(@.type==\"cursom-resource\")]", + "processingOptions": { "action": "create" } + } + ], + "roleIds": ["maintainer"] + } + ] + } +} +``` + +Configure the predefined rule with `ruleId` "endpoints.security.edit" to the role `maintainer` + +```json +{ + "configurationManagement": { + "saveChangesRules": [ + { + "disallowedRuleSet": [ + { + "ruleId": "endpoints.security.edit" + } + ], + "roleIds": ["maintainer"] + } + ] + } +} +``` From bfdb61a55ea55e2949c4398cef2a66ed31884f56 Mon Sep 17 00:00:00 2001 From: Guido Zoli Date: Tue, 19 Nov 2024 17:26:13 +0100 Subject: [PATCH 02/14] feat(fine-grain-rbac): small fix --- .../api-console/api-design/limit-user-actions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/development_suite/api-console/api-design/limit-user-actions.md b/docs/development_suite/api-console/api-design/limit-user-actions.md index 01e8f9be20..a56967659a 100644 --- a/docs/development_suite/api-console/api-design/limit-user-actions.md +++ b/docs/development_suite/api-console/api-design/limit-user-actions.md @@ -95,7 +95,7 @@ The API for updating the rules on a Companty is defined as follows. - verb: `PATCH` - path: `/api/backend/tenants/:tenantId/rules` -Authentication required +**Authentication required** ##### Body From c5bd141cef582e41503f18e78f2e81ab1cc0cd21 Mon Sep 17 00:00:00 2001 From: Guido Zoli Date: Wed, 20 Nov 2024 10:16:56 +0100 Subject: [PATCH 03/14] feat(fine-grain-rbac): added Closed Preview Info message --- .../api-console/api-design/limit-user-actions.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/development_suite/api-console/api-design/limit-user-actions.md b/docs/development_suite/api-console/api-design/limit-user-actions.md index a56967659a..0f27080eaa 100644 --- a/docs/development_suite/api-console/api-design/limit-user-actions.md +++ b/docs/development_suite/api-console/api-design/limit-user-actions.md @@ -1,5 +1,7 @@ # Granular role-based access control +> This feature is not currently generally available, but is only available as a Closed Preview. For more information and to enable it on your Company, contact your Mia-Platform representative + This feature introduces a mechanism for managing user interactions within the application by restricting specific actions based on user roles and specified rules. If a user try to save a configuration after performing some changes that are forbidden by the configured the rules, the saving is blocked and an error is returned. From d1bd668f0105f329e543540d425c200348c67588 Mon Sep 17 00:00:00 2001 From: Guido Zoli Date: Wed, 20 Nov 2024 10:18:34 +0100 Subject: [PATCH 04/14] feat(fine-grain-rbac): added sidebar info --- .../api-console/api-design/limit-user-actions.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/development_suite/api-console/api-design/limit-user-actions.md b/docs/development_suite/api-console/api-design/limit-user-actions.md index 0f27080eaa..46067bb6e6 100644 --- a/docs/development_suite/api-console/api-design/limit-user-actions.md +++ b/docs/development_suite/api-console/api-design/limit-user-actions.md @@ -1,3 +1,9 @@ +--- +id: limit-user-actions +title: Limit User Actions +sidebar_label: Limit User Actions +--- + # Granular role-based access control > This feature is not currently generally available, but is only available as a Closed Preview. For more information and to enable it on your Company, contact your Mia-Platform representative From 637b1a95d2aa7d72ab55c458a25e385c212c9658 Mon Sep 17 00:00:00 2001 From: Guido Zoli Date: Wed, 20 Nov 2024 10:36:56 +0100 Subject: [PATCH 05/14] feat(fine-grain-rbac): changed info banner --- .../api-design/limit-user-actions.md | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/docs/development_suite/api-console/api-design/limit-user-actions.md b/docs/development_suite/api-console/api-design/limit-user-actions.md index 46067bb6e6..8939355c7d 100644 --- a/docs/development_suite/api-console/api-design/limit-user-actions.md +++ b/docs/development_suite/api-console/api-design/limit-user-actions.md @@ -6,7 +6,9 @@ sidebar_label: Limit User Actions # Granular role-based access control -> This feature is not currently generally available, but is only available as a Closed Preview. For more information and to enable it on your Company, contact your Mia-Platform representative +:::info +This feature is not currently generally available, but is only available as a Closed Preview. For more information and to enable it on your Company, contact your Mia-Platform referent +::: This feature introduces a mechanism for managing user interactions within the application by restricting specific actions based on user roles and specified rules. @@ -75,9 +77,10 @@ The `ruleId` references a rule from a predefined set of rules, that define a spe The API for updating the rules on a Project is defined as follows -> **NOTE** -> This API is meant for internal use and will be subject to breaking changes. -> +:::info +**NOTE** +This API is meant for internal use and will be subject to breaking changes. +::: #### Request @@ -94,9 +97,10 @@ The **body** of the request has the structure described in [Configuration defini The API for updating the rules on a Companty is defined as follows. -> **NOTE** -> This API is meant for internal use and will be subject to breaking changes. -> +:::info +**NOTE** +This API is meant for internal use and will be subject to breaking changes. +:::info #### Request From e8a6cfd6c297f7d80863f4a1f76ce9eaf71614e7 Mon Sep 17 00:00:00 2001 From: guidozoli <64744713+guidozoli@users.noreply.github.com> Date: Wed, 20 Nov 2024 12:41:03 +0100 Subject: [PATCH 06/14] Apply suggestions from code review text improvements Co-authored-by: Federico Maggi <7142570+fredmaggiowski@users.noreply.github.com> Co-authored-by: Marco Filippi <108082959+marcofilippi@users.noreply.github.com> --- .../api-console/api-design/limit-user-actions.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/development_suite/api-console/api-design/limit-user-actions.md b/docs/development_suite/api-console/api-design/limit-user-actions.md index 46067bb6e6..03dcdc745c 100644 --- a/docs/development_suite/api-console/api-design/limit-user-actions.md +++ b/docs/development_suite/api-console/api-design/limit-user-actions.md @@ -4,19 +4,19 @@ title: Limit User Actions sidebar_label: Limit User Actions --- -# Granular role-based access control +# Design changes Fine-Grained Access Control -> This feature is not currently generally available, but is only available as a Closed Preview. For more information and to enable it on your Company, contact your Mia-Platform representative +> This feature is currently available exclusively as a **Closed Preview** and is not yet generally available. For more information and to request its activation for your Company, please contact your Mia-Platform referent. -This feature introduces a mechanism for managing user interactions within the application by restricting specific actions based on user roles and specified rules. +This feature introduces a mechanism for managing user interactions within the application by restricting specific actions based on user roles and specified rules in the Design section. -If a user try to save a configuration after performing some changes that are forbidden by the configured the rules, the saving is blocked and an error is returned. +If a user attempts to save a configuration after performing some changes that are forbidden by the configured rules, the saving is blocked and an error is returned. *Rules* and *user roles* can be configured at both the Project and the Company levels. The following logic is applied: -- **Rules**: project and company rules are combined together without conflict, as only disallow rules are used. -- **User Roles**: If a user has roles assigned at the project level, only those roles are applied. If no project-level roles are assigned, the roles defined at the company level are used instead. +- **Rules**: Project and Company rules are combined together without conflict, as only disallow rules are used. +- **User Roles**: If a user has roles assigned at the project level, only those roles used to find the applicable rules. If no project-level roles are assigned, the roles defined at the company level are used instead. ## Configuration definition @@ -109,7 +109,7 @@ The API for updating the rules on a Companty is defined as follows. The **body** of the request the structure described in [Configuration definition](#configuration-definition) -### Examples +### Use Case Examples Here are some examples of request bodies for updating Project or Company rules (the body is the same for the two API) @@ -156,7 +156,7 @@ Prevent creation of the resource `secrets` to the role `maintainer` } ``` -Through jsonpath syntax, more complex rules can be configured. The following rule for example prevent the creation of a services of a specific type (`custom-resource`) to the role `maintainer` +Through jsonpath syntax, more complex rules can be configured. The following rule for example prevents the creation of a services of a specific type (`custom-resource`) to the role `maintainer` ```json { From 5ad3b9331607f8733849da30892dc2e6f05bb52a Mon Sep 17 00:00:00 2001 From: Guido Zoli Date: Wed, 20 Nov 2024 12:45:04 +0100 Subject: [PATCH 07/14] fix: Project and Company capitalized --- .../api-console/api-design/limit-user-actions.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/development_suite/api-console/api-design/limit-user-actions.md b/docs/development_suite/api-console/api-design/limit-user-actions.md index 83ab2dae78..1a7bf0683a 100644 --- a/docs/development_suite/api-console/api-design/limit-user-actions.md +++ b/docs/development_suite/api-console/api-design/limit-user-actions.md @@ -18,11 +18,11 @@ If a user attempts to save a configuration after performing some changes that ar The following logic is applied: - **Rules**: Project and Company rules are combined together without conflict, as only disallow rules are used. -- **User Roles**: If a user has roles assigned at the project level, only those roles used to find the applicable rules. If no project-level roles are assigned, the roles defined at the company level are used instead. +- **User Roles**: If a user has roles assigned at the Project level, only those roles used to find the applicable rules. If no Project-level roles are assigned, the roles defined at the Company level are used instead. ## Configuration definition -To enable this feature the `project` or `tenant` `configurationManagement.saveChangesRules` field of the configuration must be set with a list of objects with the following structure: +To enable this feature the `Project` or `Company` `configurationManagement.saveChangesRules` field of the configuration must be set with a list of objects with the following structure: | Field | Type | Description | Optional | | ------------------- | ----------- | --------------------------------------------- | -------- | From 5448e80df28991feea12ba9d9311a74c6718cee9 Mon Sep 17 00:00:00 2001 From: Guido Zoli Date: Thu, 21 Nov 2024 12:31:57 +0100 Subject: [PATCH 08/14] added miactl command documentation for fine-grain-rbac --- .../api-design/limit-user-actions.md | 97 ++++++++++++++----- 1 file changed, 71 insertions(+), 26 deletions(-) diff --git a/docs/development_suite/api-console/api-design/limit-user-actions.md b/docs/development_suite/api-console/api-design/limit-user-actions.md index 1a7bf0683a..f6cfdf3fcb 100644 --- a/docs/development_suite/api-console/api-design/limit-user-actions.md +++ b/docs/development_suite/api-console/api-design/limit-user-actions.md @@ -46,7 +46,7 @@ A `disallowedRuleSet` can be configured in 3 ways: ### Via `jsonPath` -The `jsonPath` field is used to extract the target resource. On this resource the edit operation is prevented. +The `jsonPath` field is used to extract a target resource applying a JSONPath expression on the JSON structure of the configuration. On the extracted resource are not permitted any updates. ### Via `jsonPath` and `processingOptions` @@ -71,7 +71,7 @@ The `ruleId` references a rule from a predefined set of rules, that define a spe | `endpoints.security.edit` | block edit of the fields [`public`, `acl`, `secreted`] of `endpoints` and `routes` inside endpoints | | | | -## Configuring Rules Via API +## Configuring rules via API ### Updating rules on a Project @@ -95,7 +95,7 @@ The **body** of the request has the structure described in [Configuration defini ### Updating rules on a Company -The API for updating the rules on a Companty is defined as follows. +The API for updating the rules on a Company is defined as follows. :::info **NOTE** @@ -113,32 +113,30 @@ This API is meant for internal use and will be subject to breaking changes. The **body** of the request the structure described in [Configuration definition](#configuration-definition) -### Use Case Examples +Below are some **examples of request bodies** for the Update Rules API. The request body format is identical for both the Update Project and Update Company APIs. -Here are some examples of request bodies for updating Project or Company rules (the body is the same for the two API) - -Prevent edit of the `dockerImage` of all services to the role `maintainer` +- prevent edit of the `dockerImage` of all services to the role `maintainer` ```json -{ - "configurationManagement": { - "saveChangesRules": [ - { - "disallowedRuleSet": [ - { - "jsonPath": "$.services.*.dockerImage" - }, - ], - "roleIds": [ - "maintainer" - ] - } - ] - } -} + { + "configurationManagement": { + "saveChangesRules": [ + { + "disallowedRuleSet": [ + { + "jsonPath": "$.services.*.dockerImage" + }, + ], + "roleIds": [ + "maintainer" + ] + } + ] + } + } ``` -Prevent creation of the resource `secrets` to the role `maintainer` +- prevent creation of the resource `secrets` to the role `maintainer` ```json { @@ -160,7 +158,7 @@ Prevent creation of the resource `secrets` to the role `maintainer` } ``` -Through jsonpath syntax, more complex rules can be configured. The following rule for example prevents the creation of a services of a specific type (`custom-resource`) to the role `maintainer` +- prevent the creation of a services of a specific type (`custom-resource`) to the role `maintainer` ```json { @@ -180,7 +178,7 @@ Through jsonpath syntax, more complex rules can be configured. The following rul } ``` -Configure the predefined rule with `ruleId` "endpoints.security.edit" to the role `maintainer` +- configure the predefined rule with `ruleId` "endpoints.security.edit" to the role `maintainer` ```json { @@ -198,3 +196,50 @@ Configure the predefined rule with `ruleId` "endpoints.security.edit" to the rol } } ``` + +## Fetching and configuring rules via `miactl` + +### list + +List available rules for the Company or for a specific Project. + +Usage: + +```sh +miactl company rules list [flags] +``` + +Available flags for the command: + +- `--company-id`, the id of the Company +- `--project-id`, the id of the Project (if provided the command will print avilable rules for the project, + together with the rules inherited from the Company) + +### update + +Update rules for a Company or for a specific Project + +Usage: + +```sh +miactl company rules update [flags] +``` + +Available flags for the command: + +- `--company-id`, the id of the Company +- `--project-id`, the id of the Project (if provided the command will update the rules for the specified Project only) +- `-f`, path to the file where the rules are saved + +File example: + +```json +[ + { + "roleIds": ["developer"], + "disallowedRuleSet": [ + {"ruleId": "endpoint.security.edit"} + ] + } +] +``` From 0318134438dad899e15c81cfa60a555e81ce94d8 Mon Sep 17 00:00:00 2001 From: Guido Zoli Date: Thu, 21 Nov 2024 12:39:17 +0100 Subject: [PATCH 09/14] added security section for API in fine-grain-rbac documentation --- .../api-console/api-design/limit-user-actions.md | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/docs/development_suite/api-console/api-design/limit-user-actions.md b/docs/development_suite/api-console/api-design/limit-user-actions.md index f6cfdf3fcb..332858f6c9 100644 --- a/docs/development_suite/api-console/api-design/limit-user-actions.md +++ b/docs/development_suite/api-console/api-design/limit-user-actions.md @@ -87,7 +87,12 @@ This API is meant for internal use and will be subject to breaking changes. - verb: `PATCH` - path: `/api/backend/projects/:projectId/rules` -**Authentication required** +##### Security + +| Security | Check | +|-------------------------|---------------------------------| +| Authentication required | ✅ | +| RBAC permissions | console.company.details.update | ##### Body @@ -107,7 +112,12 @@ This API is meant for internal use and will be subject to breaking changes. - verb: `PATCH` - path: `/api/backend/tenants/:tenantId/rules` -**Authentication required** +##### Security + +| Security | Check | +|-------------------------|---------------------------------| +| Authentication required | ✅ | +| RBAC permissions | console.company.details.update | ##### Body From 55e63fe8ae7f79a947ff4093edfc0b37a50e9bcb Mon Sep 17 00:00:00 2001 From: Guido Zoli Date: Thu, 21 Nov 2024 13:05:06 +0100 Subject: [PATCH 10/14] fix: typo --- .../api-console/api-design/limit-user-actions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/development_suite/api-console/api-design/limit-user-actions.md b/docs/development_suite/api-console/api-design/limit-user-actions.md index 332858f6c9..0f45fe4ecd 100644 --- a/docs/development_suite/api-console/api-design/limit-user-actions.md +++ b/docs/development_suite/api-console/api-design/limit-user-actions.md @@ -222,7 +222,7 @@ miactl company rules list [flags] Available flags for the command: - `--company-id`, the id of the Company -- `--project-id`, the id of the Project (if provided the command will print avilable rules for the project, +- `--project-id`, the id of the Project (if provided the command will print available rules for the project, together with the rules inherited from the Company) ### update From 1ebc701e5408d8db85d51d027d6258798b2465ad Mon Sep 17 00:00:00 2001 From: Guido Zoli Date: Thu, 21 Nov 2024 13:36:17 +0100 Subject: [PATCH 11/14] feat(fine-grain-rbac): renamed file and title; changed miaclt part with an overview of the commands; moved miactl commands part before API part --- ...ions.md => fine-grained-access-control.md} | 83 ++++++++----------- 1 file changed, 33 insertions(+), 50 deletions(-) rename docs/development_suite/api-console/api-design/{limit-user-actions.md => fine-grained-access-control.md} (89%) diff --git a/docs/development_suite/api-console/api-design/limit-user-actions.md b/docs/development_suite/api-console/api-design/fine-grained-access-control.md similarity index 89% rename from docs/development_suite/api-console/api-design/limit-user-actions.md rename to docs/development_suite/api-console/api-design/fine-grained-access-control.md index 0f45fe4ecd..1e33ca57c3 100644 --- a/docs/development_suite/api-console/api-design/limit-user-actions.md +++ b/docs/development_suite/api-console/api-design/fine-grained-access-control.md @@ -1,7 +1,7 @@ --- -id: limit-user-actions -title: Limit User Actions -sidebar_label: Limit User Actions +id: fine-grained-access-control +title: Design Fine-Grained Access Control +sidebar_label: Fine-Grained Access Control --- # Design changes Fine-Grained Access Control @@ -71,6 +71,36 @@ The `ruleId` references a rule from a predefined set of rules, that define a spe | `endpoints.security.edit` | block edit of the fields [`public`, `acl`, `secreted`] of `endpoints` and `routes` inside endpoints | | | | +## Fetching and configuring rules with `miactl` + +:::info +The following `miactl` commands will be introduced in version 0.16.0 of miactl, which is not yet released. +::: + +```bash +miactl company rules list --company-id=my-company +miactl company rules list --company-id=my-company --project-id=my-project +miactl company rules update --company-id=my-company -f ~/my-rules.json +miactl company rules update --company-id=my-company --project-id=my-project -f ~/my-rules.json +``` + +Example for the file `my-rules.json`: + +```json +[ + { + "roleIds": ["developer"], + "disallowedRuleSet": [ + {"ruleId": "endpoint.security.edit"} + ] + } +] +``` + +:::info +For comprehensive information on these `miactl` commands, visit the dedicated section in the [miactl documentation](https://docs.mia-platform.eu/docs/cli/miactl/commands) +::: + ## Configuring rules via API ### Updating rules on a Project @@ -206,50 +236,3 @@ Below are some **examples of request bodies** for the Update Rules API. The requ } } ``` - -## Fetching and configuring rules via `miactl` - -### list - -List available rules for the Company or for a specific Project. - -Usage: - -```sh -miactl company rules list [flags] -``` - -Available flags for the command: - -- `--company-id`, the id of the Company -- `--project-id`, the id of the Project (if provided the command will print available rules for the project, - together with the rules inherited from the Company) - -### update - -Update rules for a Company or for a specific Project - -Usage: - -```sh -miactl company rules update [flags] -``` - -Available flags for the command: - -- `--company-id`, the id of the Company -- `--project-id`, the id of the Project (if provided the command will update the rules for the specified Project only) -- `-f`, path to the file where the rules are saved - -File example: - -```json -[ - { - "roleIds": ["developer"], - "disallowedRuleSet": [ - {"ruleId": "endpoint.security.edit"} - ] - } -] -``` From 0fd235d428fd3b6d446e606a8bff92f47d85261f Mon Sep 17 00:00:00 2001 From: Guido Zoli Date: Thu, 21 Nov 2024 15:46:43 +0100 Subject: [PATCH 12/14] feat(fine-grain-rbac): fix miactl commands link --- .../api-console/api-design/fine-grained-access-control.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/development_suite/api-console/api-design/fine-grained-access-control.md b/docs/development_suite/api-console/api-design/fine-grained-access-control.md index 1e33ca57c3..ac2727efd9 100644 --- a/docs/development_suite/api-console/api-design/fine-grained-access-control.md +++ b/docs/development_suite/api-console/api-design/fine-grained-access-control.md @@ -98,7 +98,7 @@ Example for the file `my-rules.json`: ``` :::info -For comprehensive information on these `miactl` commands, visit the dedicated section in the [miactl documentation](https://docs.mia-platform.eu/docs/cli/miactl/commands) +For the full specifications about the commands refer to the [related miactl documentation](/cli/miactl/30_commands.md) ::: ## Configuring rules via API From a468de682f83ce628e2f59ea47c8bee8940c949c Mon Sep 17 00:00:00 2001 From: Guido Zoli Date: Thu, 21 Nov 2024 15:57:14 +0100 Subject: [PATCH 13/14] feat(fine-grain-rbac): added in sidebar --- sidebars.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sidebars.json b/sidebars.json index d9ed2514d8..8497d3b954 100644 --- a/sidebars.json +++ b/sidebars.json @@ -534,6 +534,10 @@ "id": "development_suite/api-console/api-design/endpoints", "type": "doc" }, + { + "id": "development_suite/api-console/api-design/fine-grained-access-control", + "type": "doc" + }, { "id": "development_suite/api-console/api-design/listeners", "type": "doc" From 3fc97de1c0a25ddf623c45fac9f7f9dd55a72dcd Mon Sep 17 00:00:00 2001 From: Guido Zoli Date: Thu, 21 Nov 2024 16:28:46 +0100 Subject: [PATCH 14/14] feat(fine-grain-rbac): fixed caution banner, title and sidebar placement --- .../api-design/fine-grained-access-control.md | 12 +++++------- sidebars.json | 6 +++--- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/docs/development_suite/api-console/api-design/fine-grained-access-control.md b/docs/development_suite/api-console/api-design/fine-grained-access-control.md index ac2727efd9..24e0c2b27b 100644 --- a/docs/development_suite/api-console/api-design/fine-grained-access-control.md +++ b/docs/development_suite/api-console/api-design/fine-grained-access-control.md @@ -1,10 +1,10 @@ --- id: fine-grained-access-control -title: Design Fine-Grained Access Control +title: Fine-Grained Access Control in Design sidebar_label: Fine-Grained Access Control --- -# Design changes Fine-Grained Access Control +# Fine-Grained Access Control in Design :::info This feature is currently available exclusively as a **Closed Preview** and is not yet generally available. For more information and to request its activation for your Company, please contact your Mia-Platform referent. @@ -107,8 +107,7 @@ For the full specifications about the commands refer to the [related miactl docu The API for updating the rules on a Project is defined as follows -:::info -**NOTE** +:::caution This API is meant for internal use and will be subject to breaking changes. ::: @@ -132,10 +131,9 @@ The **body** of the request has the structure described in [Configuration defini The API for updating the rules on a Company is defined as follows. -:::info -**NOTE** +:::caution This API is meant for internal use and will be subject to breaking changes. -:::info +::: #### Request diff --git a/sidebars.json b/sidebars.json index 8497d3b954..14c4524cb4 100644 --- a/sidebars.json +++ b/sidebars.json @@ -535,15 +535,15 @@ "type": "doc" }, { - "id": "development_suite/api-console/api-design/fine-grained-access-control", + "id": "development_suite/api-console/api-design/listeners", "type": "doc" }, { - "id": "development_suite/api-console/api-design/listeners", + "id": "development_suite/api-console/api-design/authorization", "type": "doc" }, { - "id": "development_suite/api-console/api-design/authorization", + "id": "development_suite/api-console/api-design/fine-grained-access-control", "type": "doc" }, {