Skip to content

Migrating from Role Grants to Access Rules

Jump to bottom
Evan Todd edited this page Feb 21, 2022 · 5 revisions

To increase flexibility when managing thousands of Resources, Role Grants have been deprecated in favor of Access Rules, which allow you to grant access based on Resource Tags and Type.

The following examples demonstrate the deprecated Role Grants, Dynamic Access Rules with Tags and Resource Types, and Static Access Rules for backwards compatibility with Role Grants.

Important Versioning Caveat

This guide only applies to version 2.0 and up of the Python SDK. Prior to 2.0, the SDK includes only rudimentary beta support for access rules. Prior to 1.0.27, it does not support access rules at all. We strongly recommend upgrading to 2.0 when it is available.

Furthermore, before you can use access rules, your organization must undergo the "Access Overhaul" migration to enable the new UI and a myriad of other features. Contact support@strongdm.com to learn more.

Role Grants (deprecated)

Previously, you would grant a role access to specific resources by ID via role grants:

role = strongdm.Role(name = "Engineering")
role = client.roles.create(role).role

resource = strongdm.Redis(
	name = "Session Cache Server",
	hostname = "example.com",
	port = 6379,
	port_override = 4020,
	tags = {"env": "dev", "region": "us-west"},
)
resource = client.resources.create(resource).resource

role_grant = strongdm.RoleGrant(
    role_id = role.id,
    resource_id = resource.id,
)
role_grant = client.role_grants.create(role_grant).role_grant

Dynamic Access Rules

When using Access Rules the best practice is to grant Resources access based on Type and Tags.

role = strongdm.Role(
    name = "Engineering",
    access_rules = [
        # grant access to all dev environment resources in us-west
        {
            "tags": {
                "region": "us-west",
                "env": "dev",
            },
        },

        # grant access to all postgres resources
        {
            "type": "postgres",
        },

        # grant access to all redis resources in us-east
        {
            "type": "redis",
            "tags": {
                "region": "us-east",
            },
        },
    ],
)
role = client.roles.create(role).role

Static Access Rules

If it is necessary to grant access to specific Resources in the same way as RoleGrants did, you can use Resource IDs directly in Access Rules.

resource = client.resources.get(resource_id).resource

role = client.roles.get(role_id).role

role.access_rules = [
    { "ids": [resource.id] },
]
role = client.roles.update(role).role

Raw JSON Access Rules

If you like, you can also write your access rules in raw JSON:

import json
access_rules_json = '''[
    { "type": "postgres", "tags": {"env": "prod"} },
    { "ids": ["rs-1234"] }
]'''

role.access_rules = json.loads(access_rules_json)
# ...
Clone this wiki locally