Access Control Reference¶
Users and Groups and Roles¶
Principals (simple user or group information)¶
Task | Object | Action | Comments |
---|---|---|---|
Access basic principal information for user or group | /User/{name} or /Group/{name} | ReadSimple | |
Query simple user or group information | /User/{name} or /Group/{name} on each entity in result set | ReadSimple | Only those principals passing access control check are returned |
Users¶
Users are not namespaced entities, so all access control checks for operations relating to users are made without specifying a namespace. Role bindings must therefore be for all namespaces to be effective.
Task | Object | Action | Comments |
---|---|---|---|
Direct creation of a new user (not by invitation email) | /Users/{userName} | Create | |
Create user by invitation | /Users/{userName} | Create | |
Return user entity for current user | No specific access control check | ||
Access a user entity | /Users/{userName} | Read | |
Delete a user entity | /Users/{userName} | Delete | |
Change the basic properties of a user (not membership information) | /Users/{userName} | Update | For a change of username, check is performed on both new and old names |
Query the groups of a user | /Users/{userName}/groups | Read | |
Query users | /Users/{userName} for each user in result set | Read | Only those entities passing the access control check are returned |
Groups¶
Groups are not namespaced entities, so all access control checks for operations relating to groups are made without specifying a namespace. Role bindings must therefore be for all namespaces to be effective.
Task | Object | Action | Comments |
---|---|---|---|
Creation of a new Group | /Groups/{name} | Create | |
Access a group entity | /Groups/{name} | Read | |
Delete a group entity | /Groups/{name} | Delete | |
Change the basic properties of a group (not membership information) | /Groups/{name} | Update | For a rename, check is performed on both new and old names |
Query the memberships of a group | /Groups/{name}/members | Read | |
Add a member to a group | /Groups/{name}/members | Update | |
Delete a member from a group | /Groups/{name}/members | Update | |
Query groups | /Groups/{name} for each group in result set | Read | Only those entities passing the access control check are returned |
Altair SLC Hub provides a default set of groups that can be used to add additional permissions for users. For a list of these groups and their associated roles see Default Altair SLC Hub Groups .
Roles¶
Roles themselves are not namespaced entities, so all access control checks for operations relating to users are made without specifying a namespace. Role bindings must therefore be for all namespaces to be effective.
Task | Object | Action | Comments |
---|---|---|---|
Creation of a Role | /Roles/{name} | Create | |
Access a role | /Roles/{name} | Read | |
Delete a role | /Roles/{name} | Delete | |
Update basic properties of a role (not role bindings) | /Roles/{name} | Update | In the case of a rename, check is performed on both new and old names |
Query roles | /Roles/{name} | for each role in result set | Read |
Get a specific role | /Roles/{name} | Read |
Role Bindings¶
The binding of a role to a user or group can be in the context of a namespace, or it can apply to all namespaces. All of these access control requests are performed in the context of the namespace associate with the role binding.
Task | Object | Action | Comments |
---|---|---|---|
Create a role binding | /RoleBindings | Create | Request is based on the namespace in which the binding is made |
Delete a role binding | /RoleBindings | Delete | Request is based on the namespace in which the binding is made |
Query role bindings | /RoleBindings | Read | A check is performed for each namespace referenced by a role binding in the result set, role bindings are only returned for those namespaces for which that check is successful |
Bulk delete of role bindings | /RoleBindings | Delete | A check is performed for each namespace referenced by a role binding being deleted. All checks are required to pass for the delete to be authorized |
Administration¶
Namespaces¶
Whilst namespaces are not themselves namespaced, the access control requests
for operations on namespaces work slightly differently. Rather than the access
control requests being based on an object string of /Namespaces/{name}
with
no namespace specified, the access control requests are based on a fixed object
string of /Namespace
, but the access control request is made in the context
of the given namespace.
Task | Object | Action | Comments |
---|---|---|---|
Creation of a new namespace | /Namespace | Create | Request is made in the context of the given namespace |
Access a namespace entity | /Namespace | Read | Request is made in the context of the given namespace |
Delete a namespaces entity | /Namespace | Delete | Request is made in the context of the given namespace |
Change the properties of a namespace | /Namespace | Update | Request is made in the context of the given namespace |
Query namespaces | /Namespace | Read | Request is made in the context of each namespace in the result set, and only those entities passing the access control check are returned |
Get the default namespace | /Namespace | Read | Check is performed for whatever namespace is currently the default |
Set the default namespace | /Namespace | Update | An Update check is performed on the new and old default namespaces (this equates to updating the isDefault property on both entities) |
Execution Profiles¶
Execution profiles are not namespaced entities, so all access control checks are performed without a namespace specified.
Task | Object | Action | Comments |
---|---|---|---|
Create a new execution profile | /ExecutionProfiles/{name} | Create | |
Access an execution profile entity | /ExecutionProfiles/{name} | Read | |
Make use of an execution profile to run a workload | /ExecutionProfiles/{name} | Use | |
Delete an execution profile entity | /ExecutionProfiles/{name} | Delete | |
Change the properties of an execution profile | /ExecutionProfiles/{name} | Update | For a rename, check is performed on both new and old names |
Query execution profiles | /ExecutionProfiles/{name} for each entity in the result set | Read | Only those entities passing the access control check are returned |
Get the default execution profile for a namespace | /ExecutionProfiles/{name} | Read | Check is performed for whatever profile is currently the default |
Execution Profile Bindings¶
In order to be used within a namespace, an execution profile has to be bound to that namespace. This involves
creating an execution profile binding. The access control for execution profile bindings is all
carried out with the /ExecutionProfileBindings
object string, and the access control checks are performed
in the context of the namespace that is the target of the binding.
Task | Object | Action | Comments |
---|---|---|---|
Create a binding to a namespace | /ExecutionProfileBindings | Create | Check performed in the context of the target namespace |
Remove a binding to a namespace | /ExecutionProfileBindings | Delete | Check performed in the context of the target namespace |
Set a profile as the default for a namespace | /ExecutionProfileBindings | Update | Check performed in the context of the target namespace |
List execution profile bindings | /ExecutionProfileBindings | Read | Check performed for each distinct namespace. Only bindings that pass the access control check are returned |
Cluster Nodes¶
Cluster nodes are not namespaced entities, so all access control checks are performed without a namespace specified.
Task | Object | Action | Comments |
---|---|---|---|
List cluster nodes | /ClusterNodes | List | |
Return details of a cluster node | /ClusterNodes/{nodeId} | Read | |
Return stats for a cluster node | /ClusterNodes/{nodeId} | Read | |
Return a list of all distinct attribute names on cluster nodes | /ClusterNodes | List | |
Return a list of all distinct node labels on cluster nodes | /ClusterNodes | List |
Cluster Workloads¶
Cluster workloads are not namespaced entities, so all access control checks are performed without a namespace specified.
Task | Object | Action | Comments |
---|---|---|---|
List running jobs | /ClusterJobs | Read | |
Get details of a running job | /ClusterJobs | Read | |
View executions of a job | /ClusterJobs | Read | |
View log of a job executions | /ClusterJobs | Read | |
Cancel a job execution | /ClusterJobs | Update | |
Restart a job execution | /ClusterJobs | Update | |
View filesystem for a job | /ClusterJobs | Read |
Data Access¶
Library Definitions¶
Library Definitions are namespaced entities, so all access control requests are performed in the context of the containing namespace.
Task | Object | Action | Comments |
---|---|---|---|
Creation of a library definition | /LibraryDefinitions/{name} | Create | |
Deletion of a library definition | /LibraryDefinitions/{name} | Delete | |
Update a library definition | /LibraryDefinitions/{name} | Update | For a rename, or a move to a different namespace, both new and old names are checked |
Get a library definition | /LibraryDefinitions/{name} | Read | |
Use a library definition in SAS language program | /LibraryDefinitions/{name} | Read | |
Query library definitions | /LibraryDefinitions/{name} for each matching result | Read | Only those entities for which the access control check passes are returned |
Create a libname binding | /LibraryDefinitions/{name} | CreateBinding | |
Delete a libname binding | /LibraryDefinitions/{name} | DeleteBinding | |
Update a libname binding | /LibraryDefinitions/{name} | UpdateBinding | Check performed on new and old Library Definition in the case of a binding being moved |
List bindings of a library definition | /LibraryDefinitions/{name} | ListBindings | |
Get specific libname binding | /LibraryDefinitions/{name} | GetBinding | |
Resolve the list of assigned libnames for a user | /LibraryDefinitions/{name} | Read | Access control check is performed for all library definitions for which there is a binding to the user or one of the groups the user is a member of. Libname bindings are only returned for those library definitions for which the access control check is successful. |
Authentication Domains¶
Authentication Domains are namespaced entities, so all access control requests are performed in the context of the containing namespace.
Task | Object | Action | Comments |
---|---|---|---|
Creation of an auth domain | /AuthDomains/{name} | Create | |
Deletion of an auth domain | /AuthDomains/{name} | Delete | |
Update an auth domain | /AuthDomains/{name} | Update | For a rename, or a move to a different namespace, both new and old names are checked |
Get an auth domain | /AuthDomains/{name} | Read | |
Query auth domains | /AuthDomains/{name} for each matching result | Read | Only those entities for which the access control check passes are returned |
Create a credential | /AuthDomains/{name} | CreateCredential | A user can create credentials for themselves if the allowPersonalCredentials field is set on an auth domain. |
Delete a credential | /AuthDomains/{name} | DeleteCredential | A user can delete credentials explicitly assigned to their user if the allowPersonalCredentials field is set on an auth domain. |
Update a credential | /AuthDomains/{name} | UpdateCredential | Check performed on new and old auth domain in the case of a credential being moved. A user can edit a credential explicitly assigned to their user if the allowPersonalCredentials field is set on an auth domain. |
Change the rank of a credential | /AuthDomains/{name} | UpdateCredential | A user can edit a credential explicitly assigned to their user if the allowPersonalCredentials field is set on an auth domain. |
Query credentials for an auth domain | /AuthDomains/{name} | ListCredentials | |
A user listing credentials bound to their user or any group they are a member of | No access control check is made | ||
Get a specific credential | /AuthDomains/{name} | GetCredential | |
Use an auth domain in a SAS language program | No specific access control check made. The only credentials returned are the ones associated with the user or one of the groups they are a member of |
Deployment Services¶
Artifact Repositories¶
Artifact repositories are not namespaced entities. Role bindings must therefore be for all namespaces to be effective.
Task | Object | Action | Comments |
---|---|---|---|
Create a new artifact repository | /ArtifactRepositories/{name} | Create | |
Update the definition of an artifact repository | /ArtifactRepositories/{name} | Update | |
Delete artifact repository | /ArtifactRepositories/{name} | Delete | |
Retrieve the definition of an artifact repository | /ArtifactRepositories/{name} | Read | |
List artifact repositories | /ArtifactRepositories/{name} | Read | Only those entities for which the access control check passes are returned |
Artifacts¶
Task | Object | Action | Comments |
---|---|---|---|
Upload a new artifact to a repository | /Artifacts/{repoName} | Upload | |
Replace an existing artifact in a repository | /Artifacts/{repoName} | Upload, Delete | |
Delete an artifact from a repository | /Artifacts/{repoName} | Delete | |
Download an artifact from a repository | /Artifacts/{repoName} | Read | Also requires Read permission for /ArtifactRepositories/{repoName} |
Query artifacts | /ArtifactRepositories/{repoName} | Read | Only those entities for which the access control check passes are returned |
Bulk delete artifacts | /Artifacts/{repoName} | Delete |
Deployments¶
Deployments are namespaced entities, so any access control checks are performed in the context of the containing namespace.
Task | Object | Action | Comments |
---|---|---|---|
Create a new Deployment | /Ondemand/Deployments/{deploymentPath} | Create | |
Delete a Deployment | /Ondemand/Deployments/{deploymentPath} | Delete | |
Upate a Deployment | /Ondemand/Deployments/{deploymentPath} | Update | In the case of the deployment path being changed, check is performed on the old and the new paths. |
Read a Deployment definition | /Ondemand/Deployments/{deploymentPath} | Read | |
Query Deployments | /Ondemand/Deployments/{deploymentPath} on any deployment in the result set | Read | Only those entities for which the access control check passes are returned |
Deployed program directory entries¶
The directory entries that result from deployment a program package are created in the same namespace as the deployment entity.
Task | Object | Action | Comments |
---|---|---|---|
Query program directory | /Directory/{fullProgramPath} on any program in the result set | Read | Only those entities for which the access control check passes are returned |
Run a program from the directory | /Directory/{fullProgramPath} | Run |
Batch job executions¶
Batch job executions are namespaced entities. They are automatically created in the same namespace as the program directory entry from which they are created.
A batch program execution has an owner, the user who submitted the program and therefore created the execution. A user always has permission for any action on any batch executions they own, other than to view the job execution log.
Task | Object | Action | Comments |
---|---|---|---|
Submit a job | /Directory/{fullProgramPath} | Run | |
Repeat execution of a job | /Directory/{fullProgramPath} | Run | |
Get a job owned by another user | /Jobs | Read | |
Delete a job owned by another user | /Jobs | Delete | |
Cancel a job owned by another user | /Jobs | Cancel | |
View execution log of a job | /Jobs | ViewLog | |
List results of a job owned by another user | /Jobs | Read | |
View a result from a job owned by another user | /Jobs | Read | |
A user listing their own jobs | No specific access control check made | ||
Query jobs | /Jobs on all jobs in the result set | Read |
Pipelines¶
Pipelines are namespaced entities, so in general all access control checks are performed in the context of the containing namespace
Pipelines and Pipeline Folders¶
Pipelines and folders form a hierarchy much like a file system.
Task | Object | Action | Comments |
---|---|---|---|
Create a pipeline or pipeline folder | /Pipelines/{path} | Create | |
Delete a pipeline or pipeline folder | /Pipelines/{path} | Delete | Only one access control check is carried out, on the entity being deleted. In the case of a folder, no further access control checks are performed on any nested entities. |
Return a specific pipeline or folder | /Pipelines/{path} | Read | |
Submit a pipeline for execution | /Pipelines/{path} | Submit | |
/PipelineRuns | Create | ||
Update the definition of a pipeline | /Pipelines/{path} | Update | In the case of a rename, or moving the pipeline to a new folder, or namespace, checks are carried out with both new and old paths |
Triggers¶
Task | Object | Action | Comments |
---|---|---|---|
Create a trigger for a pipeline | /Pipelines/{path} | CreateTrigger | |
Update the definition of a trigger | /Pipelines/{path} | UpdateTrigger | |
Read the definition of a trigger | /Pipelines/{path} | GetTrigger | |
Delete a trigger for a pipeline | /Pipelines/{path} | DeleteTrigger | |
List triggers for a pipeline | /Pipelines/{path} | ListTriggers |
Pipeline Runs¶
Pipeline runs are namespaced entities. They are automatically created in the same namespace as the pipeline from which they are created.
A pipeline run has an owner, the user who submitted the pipeline and therefore created the run. A user always has permission for any action on any pipeline runs they own.
Task | Object | Action | Comments |
---|---|---|---|
Get pipeline run details (pipeline owned by another user) | /PipelineRuns | Read | |
Get pipeline run status (pipeline owned by another user) | /PipelineRuns | Read | |
Create a pipeline run from a supplied pipeline definition | /PipelineRuns | Create | |
Delete a pipeline run owned by another user | /PipelineRuns | Delete | |
Cancel a pipeline run owned by another user | /PipelineRuns | Cancel | |
Get execution log of run owned by another user | /PipelineRuns | Read | |
List the available results of run owned by another user | /PipelineRuns | Read | |
Return a node result of a run owned by another user | /PipelineRuns | Read | |
List pipeline runs | /PipelineRuns for each distinct namespace in the query result | List | Results are only returned for those namespaces for which the access control check succeeds |
User listing their own pipeline runs | No specific access control check |