mbauer83.zio_http_authorization

AuthorizationPolicies hold information about the type of User and Resource they authorize, and define an effect to authorize a user of the specified type to access a resource of the specified type.

Out of the box, this library provides a policy which always denies access, a policy which always grants access, and a policy which grants access if the user has the SUPER Role, or if the resource's tenant-id matches the user's tenant-id, or if the resource has no tenant-id.

An EndpointPolicyProvider is used to retrieve a matching * AuthorizationPolicy for a given Request from a set of policies, each registered with a partial function from Request to the policy.

Permissions define specific (kinds of) actions that may be performed on a Resource by a User to which the permission is assigned together with a ResourceSelector.

Permissions contain a name which may be of type String or Symbol.

Resources are the objects to which access is restricted via AuthorizationPolicies. They are identified by a ResourceDescriptor which is generic in its type of ResourceId and TenantId.

Roles are the basic units of role-based authorization. They are tags which can be associated in a many-to-many fashion with Users. AuthorizationPolicies can then check if a given User is authorized to to access or perform a specific kind of action on a given Resource based on data from the resource and from the user, including Roles and Permissions.

This library defined three common default roles: SUPER, ADMIN, and USER.

Users are the basic subject of role-based authorization. They are generic in their type of UserId and tenant id.

Aside from their identity, users contain their assigned Roles and Permissions which can be checked by AuthorizationPolicies.