Once the Microsegmentation Console knows the identity of the caller, it checks the API authorizations to decide if the user is allowed to perform the operation or not.
API authorizations use a tag expression that is based on the claim’s data field as a subject to assign roles to the caller.
Roles contain a list of allowed resources and operations.
For instance, the role Namespace Administrator gives full read/write permissions on a namespace while the role Enforcer only gives permissions necessary for an enforcer to work properly.
Reusing the examples in Authentication it is possible to create the following API authorizations.
As you can see below, the content of the tags in the subject field are coming from the data section of the JWT. They must be converted to @auth:<lower-case-key>=<value> to avoid any confusion with other tags.
Make the company account administrator a namespace administrator
The following API authorization makes the user, coming with a token for the account "company", an administrator on the namespace /mynamespace and all the child namespaces.
@auth:realm=vince indicates that the token is coming from an Aporeto account.
Make the AWS security token bearer an enforcer
The following API authorization makes the user, coming with a token from AWS that has the role segment, an enforcer on the namespace /acme/app/gitlab only.
