-
Notifications
You must be signed in to change notification settings - Fork 86
User Roles and Scope
Anvil Connect implements Role-Based Access Control using OAuth 2.0 style "scope" as permissions. A role is associated with one or more scopes. A user can be assigned one or more roles. When a client refers a user to the authorization server to authenticate, a scope determination is made based on:
- scope requested by the client
- scope defined for the authorization server
- scope available to every user by default (e.g.,
openid,profile) - scope available to a user via role assignments
If a client requests scope that is not authorized for the user and the authorization request is otherwise successful, the scope of the issued token will be downgraded to match the user's permissions.
Some scopes are available to all users by default.
- openid – View your identity
- profile – View your basic account info
In addition, Anvil Connect defines scope that may be required for certain API operations.
- client – Register and configure clients
- realm – Administer the security realm
Users can gain permissions through role assignment. Anvil Connect defines two standard roles with associated scope.
-
authority – this role should only be assigned to the operator(s) of the authorization server
- realm
-
developer – this role can be assigned to users who may register clients
- client
$ nv add role '{ "name": "editor" }'
$ nv add scope '{ "name": "blog", "description": "Read and write blog posts" }'
$ nv permit editor blog
$ nv assign john@example.com editor