Roles

Overview

A Role is a group of Policies that can be assigned to someone. They allow you to create flexible and hierarchical permissions.

A Role can have two fields:
Name
This is the name of the Role. It must have the role:: prefix.
Policies
A policy is an authorization rule that a user has over a specific resource. You can describe a certain Policy such as, "Allow Alice to read and update the properties of any given Thing in Category "my_category." Policies determine the level of access, which is then given out in the form of an Access Token. Each Policy has the following fields:
  • Resource: The entities or entity this Policy should rule.
  • Effect: Indicates if the Policy will grant access to a resource or will deny it. Effect can be allow or deny.

    Deny Policies always prevail over Allow Policies: If you have both Allow and Deny Policies over a specific resource, the subject will not be able to access it.

  • Action: Indicates what a Policy can -- or cannot -- do with a resource. It can be one or a combination of these:
    1. Create: Permission to add new resources.
    2. Read: Permission to read or retrieve the resource.
    3. Update: Permission to modify the resource.
    4. Delete: Permission to delete the resource

Root Role

A role root has already been created by default. This role can create, read, update and delete any resource of the account.
Note: This role cannot be modified.
Figure 1.


Create a New Role

In this example, you will create a role for guest users to enable them to manage Things in a public guests Category and invoke the guest-function Function. After naming the role, you will add the Policies to the new Role:

  1. Before adding the new Policies, delete the policy that appears by default.
  2. Add Policy to grant access to the Category guests.
  3. Policy Resource:
    • Section: AnythingDB
    • Resource Type: Categories
    • Category Name: guests
      Note: Policy Resource field is automatically populated.
  4. Policy Effect: enable to allow.
  5. Action: read, create, update and delete
  6. Add Policy to grant access to invoke the Function guest-function.
  7. Policy Resource:
    • Section: Functions
    • Resource Type: Sync Invoke Functions
    • Function Name: guest-function
  8. Policy Effect: enable to allow.
  9. Action: read, create, update and delete
    Figure 2.


  10. Create a policy to deny access to the Authorization section, so the users with this role won't be able to see other users' details, modify roles and policies or manage secrets.
  11. Policy Resource
    • Section: Authorization
    • Resource Type: All
  12. Policy Effect: enable to deny.
  13. Action: read, create, update and delete
  14. Click Save to create the role.