Skip to content
This repository has been archived by the owner on Jan 9, 2019. It is now read-only.

Define a read only api user

Jump to bottom
gschueler edited this page Aug 23, 2012 · 1 revision

For use of the Yana API, you may want to have a user account with read-only access to the system.

For reference on configuring Yana Roles and permissions see Roles and Permissions

You can of course use any user with a role that maps to the 'ROLE_YANA_USER' role, which is the default read-only role for all projects. This user would be able to retrieve all API output for every project.

Add read-only access for a single project

There are two ways to add read-only access for a particular project: by user, or by role.

By user

  1. Add a new user to your system, either via the Yana Spring internal mechanism, or via your external authorization system if using container authentication.
  2. make sure the user account is not a member of any of the Yana Internal roles, all of which grant at least read access to all projects by default.
  3. If using container authentication, make sure the user is at least a member of the 'yana' or general yana-access role defined in your web.xml file.

Now you have a user account which can log in, but will not have any authorized access to any projects. You can now follow the instructions in Roles and Permissions to grant read permission to the user:

  • add a GRANT for 'read' permission to the username for the specific project.

By Role

If you want to add a new role with read-only access to a particular project, you must add a new Role (see Roles and Permissions). If using Container Authentication be sure to add the new role to your mapping definition. The role mapping definition might look like this:

roleMap = [myLDAPRole: 'ROLE_MY_READONLY_ACCESS']

This will map "myLDAPRole" from your authorization system, to an internal Yana role called 'ROLE_MY_READONLY_ACCESS'.

After defining the new Role, the role will not have any access to any projects by default.

Now you have a role which can log in, but will not have any authorized access to any projects. You can now follow the instructions in Roles and Permissions to add the grant permission:

  • add a GRANT for 'read' permission to 'ROLE_MY_READONLY_ACCESS' for the specific project.

Deny read access for a single project

If you want to use the default 'user' internal role which grants read access to all projects, but want to remove access to certain projects, you can do this by denying 'read' permission for the role or user:

  • add a DENY 'read' permission to 'username' for the project

or

  • add a DENY 'read' permission to 'ROLE_YANA_USER' for the project, which will affect all users in that role.
Clone this wiki locally