Reference » Services » Authorization » Permission
Conjur provides methods to set up, revoke and check arbitrary privileges, described as alphanumeric strings. This is useful to factor abstract RBAC models out of custom applications, and manage them with Conjur.
Here's the simplest example, where abstract role
cook is given permission
fry on abstract resource
bacon, using CLI command resource permit:
$ conjur role create abstract_role:cook Created role demo:abstract_role:cook $ conjur resource create abstract_resource:bacon ... <output snipped> ... $ conjur resource permit abstract_resource:bacon abstract_role:cook fry Permission granted $ conjur resource check -r abstract_role:cook abstract_resource:bacon fry true
- Permission can be granted either with or without ability to subsequently grant it to other roles
- Given particular actor and resource, permissions scope is a union of permissions of all actor's roles on the resource.
- Permission check is always
truefor the resource owner (even for "non-existing" privileges)
- It's strongly not recommended to grant permissions to particular actors such as hosts and users; use higher-level assets such as groups and layers instead
Work with Conjur requires setting up permission models, consisting of roles, resources and permissions between them. Simple models can be set up with sequence of resource permit commands; more complex ones are better described with the Conjur Permissions DSL].
Although Conjur supports arbitrary privileges, there's predefined privileges set, which different components of the product rely on.
Privileges are granted on any resource. Scope of available operations depends on particular resource type.
- read -- view resource metadata, see resource in resources list, do other "read-only" operations.
- update -- modify resource
- execute -- login
- update -- sudo
Privileges are granted on variable
- execute -- read variable's value
- update -- update variable's value
- Services » Authorization » Role
- Services » Authorization » Resource
- Authorization » Resource » Permit
- Authorization » Resource » Deny
- Authorization » Resource » Check
- Authorization » Resource » Permitted Roles
- Directory » Layer » Hosts Permit
- Directory » Layer » Hosts Deny
- Directory » Layer » Hosts Permitted Roles