Overview
Permission created by an application can be shared with another application. This mechanism of sharing permission allows the receiving application to create role(s) with those permission.
Where can this be used?
- If you have multiple services in your project that use a common authorization pattern/model, you can orchestrate all the permission(s) in a single application and share those with multiple applications to be used across your services.
- If you want to control with fine-grained access across multiple applications but want to standardize permission(s) across them.
How is this achieved?
Permission sharing is primarily achieved with the help of a group as a container. Once the group is created, you can share permission(s) with the group, and add multiple applications to which you want to share your permission(s). Once shared, the application can use them to create roles.
- Create a permission using the application spec
- Create a group spec using the same application
- You need certain permission to create a group. If your application doesn’t have the required permission, raise a support ticket
- Now use the group uuid as a container to share the permission with the given application(s) using the permission sharing endpoint spec
- Once the permission is shared, the receiving application can use the shared permission to create roles
- To get list of application(s) to which a particular permission is shared, use this endpoint spec
Best practices
- Share only the permissions that are necessary for the target applications.
- Use fine-grained access controls to limit what each application can do.
- Organize permissions into specific groups for better management.
- Regularly review shared permissions to ensure they are still needed and remove any that are not.