Custom Permissions

MetalSoft’s ABAC (Attribute-Based Access control) system allows complex, custom rules based on CASL conditions, custom fields etc.

Every operation that MetalSoft performs is filtered via a process that checks that the logged-in User has the permission to perform a particular Action against a particular Subject (such as an Infrastructure or a Server). Users are assigned a Role that includes a list of Permissions both built-in or custom. For most situations, the built-in permissions are sufficient. For more complex situations custom permissions might be required.

Creating a custom permission

To Create a custom permission using the admin UI perform the following:

1. Go to Users & Permissions > Permissions
2. Add Permission
3. Fill in the details of the permission as per below
4. Click add permission
5. Go to the Roles tab
6. Add edit on an existing role or Add Custom Role
7. Check the checkbox next to the newly created permission at the bottom.

Permission Criteria

The Conditions uses the CASL convention. These conditions have 3 parameters:

• Action One of:

  • All actions
  • Create
  • List
  • Read
  • Update
  • Delete
  • Deploy
  • Manage

• Subject This is the subject of an action, typically an object type such as an Infrastructure.

• Conditions

Conditions are a JSON using the CASL mechanism. The following examples use the “Infrastructure” Subject:

Test that the infrastructure has the id 120

{
  "id": 120
}

Test User field userId equality with a Subject field:

{
  "userIdOwner": "{{userId}}"
}

Test the infrastructure’s status value one of active and ordered`

{
    "serviceStatus": "{ $in: ['active', 'ordered'] }"
}

Multiple conditions

{
    "createdAt": "{ $lte: new Date() }",
    "status": "{ $in: ['active', 'ordered'] }"
}

Possible operations list

• $eq and $ne object value should equal specified value. $ne means not $eq
• $lt and $lte object value should be less than specified value. Can be used for Dates, numbers and strings. $lte is a combination of $lt and $eq, so it’s an inclusive check.
• $gt and $gte object value should be greater than specified value. Can be used for Dates, numbers and strings. $gte is a combination of $gt and $eq, so it’s an inclusive check.
• $in and $nin Checks that object’s property is of the specified array values. Can be used for single value and for arrays as well. If object’s property is an array it checks for intersection. $nin means not $in
• $all Checks that object’s property should contain all elements from the specified array. Can be used for arrays only.
• $size Checks that array length equals to specified value. Can be used for arrays only
• $regex Allows to test object’s property value using regular expression. Can be used for strings only
• $exists Checks that property exists in the object.
• $elemMatch Checks nested elements shape. Use $elemMatch operator to specify multiple criteria on the elements of an array such that at least one array element satisfies all the specified criteria. If you specify only a single condition in the $elemMatch expression, $elemMatch is not necessary. See Specify Multiple Conditions for Array Elements for details.

Refer to this resource for more details: Conditions in Depth

Getting the list of fields that can be used for the Subject

To get the list of fields available for each Subject, refer to the API documentation of your environment (accessible at https://your-env-hostname/api/v2/swagger) for an up-to-date list of possible Objects (scroll towards the bottom).

User-related fields

The following are custom fields that can be used that map to the logged-in user’s properties:

• {{userId}} - Logged-in user’s ID
• {{accountId}} - Logged-in user’s account ID

Fields

This field in the form allows to restrict access to a certain list of fields rather than all fields. This can be used in conjunction with the Conditions field or as stand-alone.

If none is entered, all fields can be changed by the User (Principal) operating on the Subject.