User Access Management
Overview
The user access management system is designed for detailed control over who has access to which application resources. It employs a role-based access control (RBAC) model, where users are assigned to groups, and access rights are granted to these groups. This ensures efficient and secure access management.
Group Management
Creating a New Group
- Navigate to the Groups Section:
- Open the
Groupstab.
- Open the
- Add a Group:
- Click the
Create Groupbutton. - Specify a descriptive name and marker.
- Assign initial access rights.
- Click the
A Guest group is always created by default in a new project.
Inheriting Access Rights
In the "Groups" tab, previously created groups are displayed hierarchically, and the newly created group can be linked to an existing group to inherit rights from the parent group.
If there is a restriction in the path in the parent group, and the same restriction is overwritten in the child group, the final restriction will be that of the child group, but only if the parent group does not have the "Final Permission" option specified.
A group can only be specified if neither a parent nor a child group has already been selected.
Modifying Access Rights
The "Permissions" tab is key for editing access rights.
If you previously specified a parent group for inheriting rights, all information about the established accesses will be displayed in the table above, and editing inherited rights is prohibited. Rights that include exceptions and unused rights are grouped separately in the same table.
Access Rights Management
Creating Access Rights
To start creating a right, click the "Create Right" button in the "Permissions" tab.
An access right consists of a combination of method and path.
- Create a Minimal Set of Permissions:
- This option allows you to minimize the task of creating rights by generating the minimally required set of permissions.
Available only if there are no previously established permissions.
- Set Data Output Restrictions:
- This option is applicable only when "Create a Minimal Set of Permissions" is selected, setting a restriction on data output (10 records).
- API Section:
- A required parameter when creating new access, indicating the route for selecting permissions.
- Path:
- Selection is available only after choosing the API section, specifying the route for setting rights.
- Name:
- A mandatory field for naming the right.
- "Permissions" Table:
- The table presents a selection of HTTP methods for the specified path, indicating options for "unrestricted" and "with record limit".
For any path in the table, there are always 4 methods listed: GET, POST, PUT, DELETE.
-
Additional Conditions These conditions appear not for all paths, but only for "list" paths and allow you to set exceptions for the received documents.
- For example, if you need to grant access to all pages but make an exception, you can click the button "Select which data you want to exclude." In the opened additional window, you can select the data to restrict access to. For the API section - pages, a hierarchical list of pages will be displayed; for the attributes section - accordingly, the attributes.
List of Available Paths with Additional Conditions:
/api/content/admins/all/api/content/attributes-sets/api/content/attributes-sets/{marker}/attributes/api/content/pages/api/content/blocks/api/content/forms/api/content/events/subscriptions/api/content/orders-storage/api/content/product-statuses/api/content/templates/api/content/template-previews/api/content/integration-collections
After selecting data for exclusion, two new options will appear: "Exclude" - this option indicates that the selected data should be excluded. "Final Right" - this right is not inherited throughout the entire child group chain (this option becomes available only if the "Exclude" option is selected).
The selection of additional conditions depends on the chosen path and is not always available. When such a selection is available, it is marked with "Exceptions available for selection."
List of available paths for configuration
By default, new rights fall into the "Unused Rights" section; to activate them, simply select them by clicking the checkbox to the left of the name.
To open the editor, use the button 
To delete, use 
Understanding Access Rights
Access rights are detailed settings that define what actions a group can perform with specific resources. They are organized by API sections and can be further refined using conditions.
Searching for Rights in the Table
Searching for the required rights in the table is done by entering text in the "Search Rights" field, selecting the necessary API sections in the selector, and choosing the "Select Unused" option.
Final Rights
The final rights tab is an informative table filtered by API sections for easier searching.
Example: Access Restriction for Products
- API Section:
products - Access Rights:
- Read (
Read): Yes - Add (
Add): No - Edit (
Edit): No - Delete (
Delete): No
- Read (
API Integration
The system provides an API for programmatic management of users, groups, and access rights. Below are examples of typical operations.
Example Request
/api/content/attributes-sets/product_1/attributes
Response without authorization (Guest group):
[
{
"type": "image",
"value": {},
"marker": "image",
"position": 1,
"listTitles": [],
"validators": {
"requiredValidator": {
"strict": true
}
},
"localizeInfos": {
"title": "image"
},
"additionalFields": []
},
{
"type": "textWithHeader",
"value": {},
"marker": "textheader",
"position": 4,
"listTitles": [],
"validators": {},
"localizeInfos": {
"title": "text header"
},
"additionalFields": []
},
{
"type": "image",
"value": {},
"marker": "image1",
"position": 18,
"listTitles": [],
"validators": {
"sizeInPixelsValidator": {
"maxX": 0,
"maxY": 0
},
"checkingFilesValidator": {
"maxUnits": "kb",
"maxValue": 0,
"minUnits": "mb",
"minValue": 0,
"extensions": []
}
},
"localizeInfos": {
"title": "image"
},
"additionalFields": []
}
]
Response with authorization, where all attribute fields are allowed in the rights:
[
{
"type": "image",
"value": {},
"marker": "image",
"position": 1,
"listTitles": [],
"validators": {
"requiredValidator": {
"strict": true
}
},
"localizeInfos": {
"title": "image"
},
"additionalFields": []
},
{
"type": "textWithHeader",
"value": {},
"marker": "textheader",
"position": 4,
"listTitles": [],
"validators": {},
"localizeInfos": {
"title": "text header"
},
"additionalFields": []
},
{
"type": "image",
"value": {},
"marker": "image1",
"position": 18,
"listTitles": [],
"validators": {
"sizeInPixelsValidator": {
"maxX": 0,
"maxY": 0
},
"checkingFilesValidator": {
"maxUnits": "kb",
"maxValue": 0,
"minUnits": "mb",
"minValue": 0,
"extensions": []
}
},
"localizeInfos": {
"title": "image"
},
"additionalFields": []
},
{
"type": "float",
"value": {},
"marker": "price",
"position": 19,
"listTitles": [],
"validators": {},
"localizeInfos": {
"title": "price"
},
"additionalFields": []
}
]
As we can see, the authorized user received the additional field price.