Does it make sense to use "groups:admins" as policy subject?

apendua · May 17, 2018, 8:02am

In the access control documentation there are a couple of policy examples with groups:admins as one of the subjects, e.g.

{
  "description": "One policy to rule them all.",
  "subjects": ["users:<[peter|ken]>", "users:maria", "groups:admins"],
  "actions" : ["delete", "<[create|update]>"],
  "effect": "allow",
  "resources": [
    "resources:articles:<.*>",
    "resources:printer"
  ],
  // ....
}

I am wondering where this group:* prefix is actually coming from. Because if I create a group via warden api with id equal to "admins", then I would expect the policy statement to reference this group directly by id, so "admins" in this case. (or not?)

On the other hand, my policy queries to warden will hardly ever have subject equal to something like groups:*, because I will be typically asking for user’s permissions or access token’s permission and the latter will probably be issued with subject equal to userId, or something like users:<userId>.

Having said that, it looks to me that groups:admins is not likely to occur in any reali life scenario. This makes me think that either I am missing something or the example is indeed misleading.

hackerman · May 17, 2018, 8:52am

Yeah, the group: prefix is actually arbitrary and has lead to some confusion in the past. You can name it whatever you want to! The idea of prefixing is is that there isn’t a name-clash because - for example - some user’s ID is admin as well

apendua · May 17, 2018, 9:23am

Thanks for a quick response.

So if I would like to use groups:admins, then I would need to use that exact value as my (warden) group id. Is that correct?

hackerman · May 17, 2018, 9:30am

yes, that is correct!