You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Eric Holmes edited this page Sep 7, 2016
·
6 revisions
We'd like to have more control over who has access to what.
Scenario
I'm a company and I have two teams:
backend services
frontend
I only want to allow the frontend team access to frontend applications. The backend team should have access to all applications.
Idea - IAM like policies
The core API of Empire is well defined and gives us a good place to wrap it with an ACL, using a policy based approach, similar to how IAM works. Unfortunately, IAM is not extensible to third party services, so we'd have to implement it ourselves.
Within code, a policy would be defined as:
typePolicystruct {
// Either Allow or DenyEffectEffect// The actions allowed or denied. (e.g. empire:Run)Actions []string// Name of the resource. * for all.Resource []string
}
And the policies for the above scenario could be represented as: