Access Control Reference¶
Users and Groups and Roles¶
Principals (simple user or group information)¶
| Task | Object | Action | Comments |
|---|---|---|---|
| Access basic principal information for user or group | /User/{name} or /Group/{name} | ReadSimple | |
| Query simple user or group information | /User/{name} or /Group/{name} on each entity in result set | ReadSimple | Only those principals passing access control check are returned |
Users¶
Users are not namespaced entities, so all access control checks for operations relating to users are made without specifying a namespace. Role bindings must therefore be for all namespaces to be effective.
| Task | Object | Action | Comments |
|---|---|---|---|
| Direct creation of a new user (not by invitation email) | /Users/{userName} | Create | |
| Create user by invitation | /Users/{userName} | Create | |
| Return user entity for current user | No specific access control check | ||
| Access a user entity | /Users/{userName} | Read | |
| Delete a user entity | /Users/{userName} | Delete | |
| Change the basic properties of a user (not membership information) | /Users/{userName} | Update | For a change of username, check is performed on both new and old names |
| Query the groups of a user | /Users/{userName}/groups | Read | |
| Query users | /Users/{userName} for each user in result set | Read | Only those entities passing the access control check are returned |
Groups¶
Groups are not namespaced entities, so all access control checks for operations relating to groups are made without specifying a namespace. Role bindings must therefore be for all namespaces to be effective.
| Task | Object | Action | Comments |
|---|---|---|---|
| Creation of a new Group | /Groups/{name} | Create | |
| Access a group entity | /Groups/{name} | Read | |
| Delete a group entity | /Groups/{name} | Delete | |
| Change the basic properties of a group (not membership information) | /Groups/{name} | Update | For a rename, check is performed on both new and old names |
| Query the memberships of a group | /Groups/{name}/members | Read | |
| Add a member to a group | /Groups/{name}/members | Update | |
| Delete a member from a group | /Groups/{name}/members | Update | |
| Query groups | /Groups/{name} for each group in result set | Read | Only those entities passing the access control check are returned |
Altair SLC Hub provides a default set of groups that can be used to add additional permissions for users. For a list of these groups and their associated roles see Default Altair SLC Hub Groups .
Roles¶
Roles themselves are not namespaced entities, so all access control checks for operations relating to users are made without specifying a namespace. Role bindings must therefore be for all namespaces to be effective.
| Task | Object | Action | Comments |
|---|---|---|---|
| Creation of a Role | /Roles/{name} | Create | |
| Access a role | /Roles/{name} | Read | |
| Delete a role | /Roles/{name} | Delete | |
| Update basic properties of a role (not role bindings) | /Roles/{name} | Update | In the case of a rename, check is performed on both new and old names |
| Query roles | /Roles/{name} | for each role in result set | Read |
| Get a specific role | /Roles/{name} | Read |
Role Bindings¶
The binding of a role to a user or group can be in the context of a namespace, or it can apply to all namespaces. All of these access control requests are performed in the context of the namespace associate with the role binding.
| Task | Object | Action | Comments |
|---|---|---|---|
| Create a role binding | /RoleBindings | Create | Request is based on the namespace in which the binding is made |
| Delete a role binding | /RoleBindings | Delete | Request is based on the namespace in which the binding is made |
| Query role bindings | /RoleBindings | Read | A check is performed for each namespace referenced by a role binding in the result set, role bindings are only returned for those namespaces for which that check is successful |
| Bulk delete of role bindings | /RoleBindings | Delete | A check is performed for each namespace referenced by a role binding being deleted. All checks are required to pass for the delete to be authorized |
Administration¶
Namespaces¶
Whilst namespaces are not themselves namespaced, the access control requests
for operations on namespaces work slightly differently. Rather than the access
control requests being based on an object string of /Namespaces/{name} with
no namespace specified, the access control requests are based on a fixed object
string of /Namespace, but the access control request is made in the context
of the given namespace.
| Task | Object | Action | Comments |
|---|---|---|---|
| Creation of a new namespace | /Namespace | Create | Request is made in the context of the given namespace |
| Access a namespace entity | /Namespace | Read | Request is made in the context of the given namespace |
| Delete a namespaces entity | /Namespace | Delete | Request is made in the context of the given namespace |
| Change the properties of a namespace | /Namespace | Update | Request is made in the context of the given namespace |
| Query namespaces | /Namespace | Read | Request is made in the context of each namespace in the result set, and only those entities passing the access control check are returned |
| Get the default namespace | /Namespace | Read | Check is performed for whatever namespace is currently the default |
| Set the default namespace | /Namespace | Update | An Update check is performed on the new and old default namespaces (this equates to updating the isDefault property on both entities) |
Execution Profiles¶
Execution profiles are not namespaced entities, so all access control checks are performed without a namespace specified.
| Task | Object | Action | Comments |
|---|---|---|---|
| Create a new execution profile | /ExecutionProfiles/{name} | Create | |
| Access an execution profile entity | /ExecutionProfiles/{name} | Read | |
| Make use of an execution profile to run a workload | /ExecutionProfiles/{name} | Use | |
| Delete an execution profile entity | /ExecutionProfiles/{name} | Delete | |
| Change the properties of an execution profile | /ExecutionProfiles/{name} | Update | For a rename, check is performed on both new and old names |
| Query execution profiles | /ExecutionProfiles/{name} for each entity in the result set | Read | Only those entities passing the access control check are returned |
| Get the default execution profile for a namespace | /ExecutionProfiles/{name} | Read | Check is performed for whatever profile is currently the default |
Execution Profile Bindings¶
In order to be used within a namespace, an execution profile has to be bound to that namespace. This involves
creating an execution profile binding. The access control for execution profile bindings is all
carried out with the /ExecutionProfileBindings object string, and the access control checks are performed
in the context of the namespace that is the target of the binding.
| Task | Object | Action | Comments |
|---|---|---|---|
| Create a binding to a namespace | /ExecutionProfileBindings | Create | Check performed in the context of the target namespace |
| Remove a binding to a namespace | /ExecutionProfileBindings | Delete | Check performed in the context of the target namespace |
| Set a profile as the default for a namespace | /ExecutionProfileBindings | Update | Check performed in the context of the target namespace |
| List execution profile bindings | /ExecutionProfileBindings | Read | Check performed for each distinct namespace. Only bindings that pass the access control check are returned |
Cluster Nodes¶
Cluster nodes are not namespaced entities, so all access control checks are performed without a namespace specified.
| Task | Object | Action | Comments |
|---|---|---|---|
| List cluster nodes | /ClusterNodes | List | |
| Return details of a cluster node | /ClusterNodes/{nodeId} | Read | |
| Return stats for a cluster node | /ClusterNodes/{nodeId} | Read | |
| Return a list of all distinct attribute names on cluster nodes | /ClusterNodes | List | |
| Return a list of all distinct node labels on cluster nodes | /ClusterNodes | List |
Cluster Workloads¶
Cluster workloads are not namespaced entities, so all access control checks are performed without a namespace specified.
| Task | Object | Action | Comments |
|---|---|---|---|
| List running jobs | /ClusterJobs | Read | |
| Get details of a running job | /ClusterJobs | Read | |
| View executions of a job | /ClusterJobs | Read | |
| View log of a job executions | /ClusterJobs | Read | |
| Cancel a job execution | /ClusterJobs | Update | |
| Restart a job execution | /ClusterJobs | Update | |
| View filesystem for a job | /ClusterJobs | Read |
Data Access¶
Library Definitions¶
Library Definitions are namespaced entities, so all access control requests are performed in the context of the containing namespace.
| Task | Object | Action | Comments |
|---|---|---|---|
| Creation of a library definition | /LibraryDefinitions/{name} | Create | |
| Deletion of a library definition | /LibraryDefinitions/{name} | Delete | |
| Update a library definition | /LibraryDefinitions/{name} | Update | For a rename, or a move to a different namespace, both new and old names are checked |
| Get a library definition | /LibraryDefinitions/{name} | Read | |
| Use a library definition in SAS language program | /LibraryDefinitions/{name} | Read | |
| Query library definitions | /LibraryDefinitions/{name} for each matching result | Read | Only those entities for which the access control check passes are returned |
| Create a libname binding | /LibraryDefinitions/{name} | CreateBinding | |
| Delete a libname binding | /LibraryDefinitions/{name} | DeleteBinding | |
| Update a libname binding | /LibraryDefinitions/{name} | UpdateBinding | Check performed on new and old Library Definition in the case of a binding being moved |
| List bindings of a library definition | /LibraryDefinitions/{name} | ListBindings | |
| Get specific libname binding | /LibraryDefinitions/{name} | GetBinding | |
| Resolve the list of assigned libnames for a user | /LibraryDefinitions/{name} | Read | Access control check is performed for all library definitions for which there is a binding to the user or one of the groups the user is a member of. Libname bindings are only returned for those library definitions for which the access control check is successful. |
Authentication Domains¶
Authentication Domains are namespaced entities, so all access control requests are performed in the context of the containing namespace.
| Task | Object | Action | Comments |
|---|---|---|---|
| Creation of an auth domain | /AuthDomains/{name} | Create | |
| Deletion of an auth domain | /AuthDomains/{name} | Delete | |
| Update an auth domain | /AuthDomains/{name} | Update | For a rename, or a move to a different namespace, both new and old names are checked |
| Get an auth domain | /AuthDomains/{name} | Read | |
| Query auth domains | /AuthDomains/{name} for each matching result | Read | Only those entities for which the access control check passes are returned |
| Create a credential | /AuthDomains/{name} | CreateCredential | A user can create credentials for themselves if the allowPersonalCredentials field is set on an auth domain. |
| Delete a credential | /AuthDomains/{name} | DeleteCredential | A user can delete credentials explicitly assigned to their user if the allowPersonalCredentials field is set on an auth domain. |
| Update a credential | /AuthDomains/{name} | UpdateCredential | Check performed on new and old auth domain in the case of a credential being moved. A user can edit a credential explicitly assigned to their user if the allowPersonalCredentials field is set on an auth domain. |
| Change the rank of a credential | /AuthDomains/{name} | UpdateCredential | A user can edit a credential explicitly assigned to their user if the allowPersonalCredentials field is set on an auth domain. |
| Query credentials for an auth domain | /AuthDomains/{name} | ListCredentials | |
| A user listing credentials bound to their user or any group they are a member of | No access control check is made | ||
| Get a specific credential | /AuthDomains/{name} | GetCredential | |
| Use an auth domain in a SAS language program | No specific access control check made. The only credentials returned are the ones associated with the user or one of the groups they are a member of |
Deployment Services¶
Artifact Repositories¶
Artifact repositories are not namespaced entities. Role bindings must therefore be for all namespaces to be effective.
| Task | Object | Action | Comments |
|---|---|---|---|
| Create a new artifact repository | /ArtifactRepositories/{name} | Create | |
| Update the definition of an artifact repository | /ArtifactRepositories/{name} | Update | |
| Delete artifact repository | /ArtifactRepositories/{name} | Delete | |
| Retrieve the definition of an artifact repository | /ArtifactRepositories/{name} | Read | |
| List artifact repositories | /ArtifactRepositories/{name} | Read | Only those entities for which the access control check passes are returned |
Artifacts¶
| Task | Object | Action | Comments |
|---|---|---|---|
| Upload a new artifact to a repository | /Artifacts/{repoName} | Upload | |
| Replace an existing artifact in a repository | /Artifacts/{repoName} | Upload, Delete | |
| Delete an artifact from a repository | /Artifacts/{repoName} | Delete | |
| Download an artifact from a repository | /Artifacts/{repoName} | Read | Also requires Read permission for /ArtifactRepositories/{repoName} |
| Query artifacts | /ArtifactRepositories/{repoName} | Read | Only those entities for which the access control check passes are returned |
| Bulk delete artifacts | /Artifacts/{repoName} | Delete |
Deployments¶
Deployments are namespaced entities, so any access control checks are performed in the context of the containing namespace.
| Task | Object | Action | Comments |
|---|---|---|---|
| Create a new Deployment | /Ondemand/Deployments/{deploymentPath} | Create | |
| Delete a Deployment | /Ondemand/Deployments/{deploymentPath} | Delete | |
| Upate a Deployment | /Ondemand/Deployments/{deploymentPath} | Update | In the case of the deployment path being changed, check is performed on the old and the new paths. |
| Read a Deployment definition | /Ondemand/Deployments/{deploymentPath} | Read | |
| Query Deployments | /Ondemand/Deployments/{deploymentPath} on any deployment in the result set | Read | Only those entities for which the access control check passes are returned |
Deployed program directory entries¶
The directory entries that result from deployment a program package are created in the same namespace as the deployment entity.
| Task | Object | Action | Comments |
|---|---|---|---|
| Query program directory | /Directory/{fullProgramPath} on any program in the result set | Read | Only those entities for which the access control check passes are returned |
| Run a program from the directory | /Directory/{fullProgramPath} | Run |
Batch job executions¶
Batch job executions are namespaced entities. They are automatically created in the same namespace as the program directory entry from which they are created.
A batch program execution has an owner, the user who submitted the program and therefore created the execution. A user always has permission for any action on any batch executions they own, other than to view the job execution log.
| Task | Object | Action | Comments |
|---|---|---|---|
| Submit a job | /Directory/{fullProgramPath} | Run | |
| Repeat execution of a job | /Directory/{fullProgramPath} | Run | |
| Get a job owned by another user | /Jobs | Read | |
| Delete a job owned by another user | /Jobs | Delete | |
| Cancel a job owned by another user | /Jobs | Cancel | |
| View execution log of a job | /Jobs | ViewLog | |
| List results of a job owned by another user | /Jobs | Read | |
| View a result from a job owned by another user | /Jobs | Read | |
| A user listing their own jobs | No specific access control check made | ||
| Query jobs | /Jobs on all jobs in the result set | Read |
Pipelines¶
Pipelines are namespaced entities, so in general all access control checks are performed in the context of the containing namespace
Pipelines and Pipeline Folders¶
Pipelines and folders form a hierarchy much like a file system.
| Task | Object | Action | Comments |
|---|---|---|---|
| Create a pipeline or pipeline folder | /Pipelines/{path} | Create | |
| Delete a pipeline or pipeline folder | /Pipelines/{path} | Delete | Only one access control check is carried out, on the entity being deleted. In the case of a folder, no further access control checks are performed on any nested entities. |
| Return a specific pipeline or folder | /Pipelines/{path} | Read | |
| Submit a pipeline for execution | /Pipelines/{path} | Submit | |
| /PipelineRuns | Create | ||
| Update the definition of a pipeline | /Pipelines/{path} | Update | In the case of a rename, or moving the pipeline to a new folder, or namespace, checks are carried out with both new and old paths |
Triggers¶
| Task | Object | Action | Comments |
|---|---|---|---|
| Create a trigger for a pipeline | /Pipelines/{path} | CreateTrigger | |
| Update the definition of a trigger | /Pipelines/{path} | UpdateTrigger | |
| Read the definition of a trigger | /Pipelines/{path} | GetTrigger | |
| Delete a trigger for a pipeline | /Pipelines/{path} | DeleteTrigger | |
| List triggers for a pipeline | /Pipelines/{path} | ListTriggers |
Pipeline Runs¶
Pipeline runs are namespaced entities. They are automatically created in the same namespace as the pipeline from which they are created.
A pipeline run has an owner, the user who submitted the pipeline and therefore created the run. A user always has permission for any action on any pipeline runs they own.
| Task | Object | Action | Comments |
|---|---|---|---|
| Get pipeline run details (pipeline owned by another user) | /PipelineRuns | Read | |
| Get pipeline run status (pipeline owned by another user) | /PipelineRuns | Read | |
| Create a pipeline run from a supplied pipeline definition | /PipelineRuns | Create | |
| Delete a pipeline run owned by another user | /PipelineRuns | Delete | |
| Cancel a pipeline run owned by another user | /PipelineRuns | Cancel | |
| Get execution log of run owned by another user | /PipelineRuns | Read | |
| List the available results of run owned by another user | /PipelineRuns | Read | |
| Return a node result of a run owned by another user | /PipelineRuns | Read | |
| List pipeline runs | /PipelineRuns for each distinct namespace in the query result | List | Results are only returned for those namespaces for which the access control check succeeds |
| User listing their own pipeline runs | No specific access control check |