Access Control Lists (Permissions)

Note
This page is marked as "earlydoc", which means that it more of a collection of notes and an early draft before this page turns into good documentation later on. It is hoped that this early form of documentation is useful to you, but please understand that most documentation pages are higher quality than this. If you have suggestions or comments, please do get in contact or consider contributing your suggestions to the OliveTin documentation.

You can control access to actions within OliveTin on a per-user basis, using Access Control Lists (ACL).

An action always starts with defaultPermissions (see below), and then then have one or more ACLs applied to it. This means that you can for example have an action that is only available to a certain group of users, or only to a single user.

Let’s say you have a user james and a usergroup admins. You can then create an ACL that only allows james and users in the admins group to view and execute an action.

You can specify default permissions for all actions by changing the defaultPermissions like this;

config.yaml
defaultPermissions:
  view: false
  exec: false
  logs: true

In the example above, all users will start off with the permissions to only see action logs - but will not be able to view or execute actions.

It is then possible to add an "admins" ACL on top of every action. In the example below, we define one extra ACL called "admins", which matches any users with the usergroup also called "admins". This ACL will then be applied to all actions, and will allow users in the "admins" usergroup to view and execute the action.

config.yaml
defaultPermissions:
  view: false
  exec: false

accessControlLists:
  - name: admins
    matchUsergroups:
      - admins
    permissions:
      view: true
      exec: true

actions:
  - title: Shutdown Reactor
    acls:
      - admins

ACL Matching - usernames and usergroups.

You can match users based on their usergroup which is the most common, but it is also possible to match based on the user’s username.

config.yaml
accessControlLists:
  - name: admins
    matchUsergroups:
      - admins
    permissions:
      view: true
      exec: true

  - name: james
    matchUserNames:
      - james
    permissions:
      view: true
      exec: true

Add an ACL to every action

Sometimes you want to define an ACL that applies to all actions. It can be tedious and error prone to manually add the ACL under the "acls" list for every action, if you have several actions. Instead, there is a shortcut to add an ACL to all actions - addToEveryAction: true.

config.yaml
accessControlLists:
  - name: admins
    matchUsergroups:
      - admins
    permissions:
      view: true
      exec: true
    addToEveryAction: true