Skip to main content

Permissions

Permissions determine what operations are allowed on a resource. In Frontier, permissions are represented in the form of service.resource.verb, for example, potato.cart.list.

Permissions often correspond one-to-one with API methods. That is, each service has an associated set of permissions for each API method that it exposes. The caller of that method needs those permissions to call that method. For example, if you want to create a new project you must have the projecr create permission.

You don't grant permissions to users directly. Instead, you identify roles that contain the appropriate permissions, and then grant those roles to the user.

Frontier comes with predefined permissions which allow users to perform common operations on IAM resources itself. For example managing organisation, assigning roles to users.

Permissions in Frontier are attached to a logical partition called Namespace.

Namespace

A Namespace in Frontier is a logical container or partitioning mechanism that helps organize and manage resources and access control policies. It is used to group related entities and define the scope of authorization within a system. With the namespaces we compartmentalize and control access to different parts of the application or system, allowing more granular authorization and improved security.

Each namespace can have its own set of permissions, roles, and access control policies, enabling fine-grained control over who can access what resources within the defined scope. For example, the namespace app/organization in Frontier contains permissions related to managing organizations. These permissions could include create update delete get and so on.

Predefined Org Permissions

Includes a list of Frontier's predefined permissions at the organization level.

info

Frontier allows inheritance of permissions for a hierarchical structure, where higher-level permissions grant access to lower-level entities. In this case, granting permissions at the organization level automatically extends those permissions to the projects, resources, and groups within that org.

Permission NamePermission TitleDescription
app.organization.administerOrganization AdministerGrants administrative privileges for managing the organization.
app.organization.deleteOrganization DeleteAllows deleting the organization.
app.organization.updateOrganization UpdateAllows updating or modifying the organization's information.
app.organization.getOrganization GetAllows retrieving or accessing a specific organization.
app.organization.rolemanageOrganization Role ManageEnables managing or controlling roles within the organization.
app.organization.policymanageOrganization Policy ManageEnables managing or controlling access control policies within the organization.
app.organization.projectlistOrganization Project ListAllows listing or retrieving a list of projects within the organization.
app.organization.grouplistOrganization Group ListAllows listing or retrieving a list of groups within the organization.
app.organization.invitationlistOrganization Invitation ListAllows listing or retrieving a list of user invitations in the organization.
app.organization.projectcreateOrganization Project CreateAllows creating new projects within the organization.
app.organization.groupcreateOrganization Group CreateAllows creating new groups within the organization.
app.organization.invitationcreateOrganization Invitation CreateAllows creating new invitations or access requests within the organization.
app.organization.serviceusermanageOrganization Service User ManageEnables managing or creating service users within the organization.
app.organization.billingmanageOrganization Billing ManageEnables managing billing related information and purchases for the organization.
app.organization.billingviewOrganization Billing ViewEnables viewing billing related information and purchases for the organization.

Predefined Project Permissions

Includes a list of Frontier's predefined permissions at the project level.

Permission NamePermission TitleDescription
app.project.administerProject AdministerGrants administrative privileges for managing the project.
app.project.deleteProject DeleteAllows deleting the project.
app.project.updateProject UpdateAllows updating or modifying the project's information.
app.project.getProject GetAllows retrieving or accessing a specific project.
app.project.policymanageProject Policy ManageEnables managing or controlling access control policies within the project.
app.project.resourcelistProject Resource ListAllows listing or retrieving a list of resources within the project.

Predefined Group Permissions

Contains a list of Frontier's predefined permissions at the group level.

Permission NamePermission TitleDescription
app.group.administerGroup AdministerGrants administrative privileges for managing the group.
app.group.deleteGroup DeleteAllows deleting the group.
app.group.updateGroup UpdateAllows updating or modifying the group's information.
app.group.getGroup GetAllows retrieving or accessing a specific group.
note

Permissions in Frontier follow a hierarchical structure, where higher-level permissions include the capabilities of lower-level permissions. For example, a higher-level permission like adminiter includes all the capabilities of a lower-level permission like get.


Custom Permissions

Frontier allow the its platform administrators (Superusers) to create permissions to meet specific authorization requirements beyond the predefined set of permissions. Custom permissions allow for more granular control over access to resources and actions within an application or system. They enable organizations to define and enforce fine-grained access policies tailored to their unique needs.

When creating custom permissions, administrators typically define the name and scope (namespace) of the permission. The name should be descriptive and indicative of the action or resource it governs. The scope determines where the permission applies, such as the platform(making it available across all the organizations in Frontier), organization, project or group.

note

The permissions can either be created dynamically when the Frontier is running, or can either be provided in the server configurations.

For example, let's say you have an e-commerce application where users can manage their shopping carts. To control access to cart-related actions, you can create custom permissions in the potato/cart namespace.

Sample custom permission requirements:

Permission NamePermission TitleNamespaceDescription
deleteCart Deletepotato/cartGrants the ability to delete items from the shopping cart.
updateCart Updatepotato/cartAllows updating the contents of the shopping cart.
getCart Getpotato/cartEnables retrieving the details of the shopping cart.

This is how the resource config file will look like

info

While creating permissions, it is important to note that the namespace is appended to the permission name to generate a permission slug. For instance, the delete permission name will be appended with namespace potato/cart, to generate the final permission slug as potato_cart_delete in Frontier. This naming convention is used to ensure uniqueness and organization of permissions within Frontier. While creating a role, we pass the list of these permission slugs being binded to that role.

Managing Permission

tip

Some of these APIs require special privileges to access these endpoints and to authorize these requests, users may need a Client ID/Secret or an Access token to proceed. Read Authorization for APIs to learn more.