Update security section about uid scope (zalando#794)

* Update security section about uid scope Add more visible note that `uid` scope is also a valid scope for publicly available data, as this is often misunderstood, even if there is text about this below in the same section. * Restored previous formatting * improve suggestion with alligned update Co-authored-by: Miha Lunar <mlunar@gmail.com> * feat: remove read-only --------- Co-authored-by: Tronje Krop <tronje.krop@zalando.de> Co-authored-by: Miha Lunar <mlunar@gmail.com>
zepdev · Mar 5, 2024 · 4707e68 · 4707e68
1 parent fe3ff88
commit 4707e68
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/chapters/security.adoc b/chapters/security.adoc
@@ -54,7 +54,12 @@ because it exposes authentication server address details and may make use of red
 == {MUST} define and assign permissions (scopes)
 
 APIs must define permissions to protect their resources. Thus, at least one
-permission must be assigned to each API endpoint.
+permission must be assigned to each API endpoint. You should use the `uid`
+pseudo-scope to allow access to public and employee-only data (classified as
+`green` and `yellow` respectively). For sensitive data (`orange` or `red`),
+the `uid` scope based authorization must be either accompanied by individual
+object level authorization or use role based permissions through specific
+scopes.
 
 The naming schema for permissions corresponds to the naming schema for <<224,
 hostnames>> and <<213, event type names>>. Please refer to <<225>> for