Limit access by API proxy to specific admin/config...

guycrets · 11-05-2020 01:00 AM

A proxy can by default access all objects in a single environment: KVM's, Caches, Target Servers...

Q: is there a way to limit access by an API proxy to specific admin/config objects?

Context of my question are multiple teams working in a single tenant:

Through RBAC, it is possible (but not trivial) to restrict access via Edge UI or Management API.
But any API proxy can access all admin objects in its environment. E.g. a proxy of team B can directly access team A's caches or (environment) KVM's
For KVM's, there is ultimately the option for proxy specific KVM's. But not for caches a.o. Neither shared flow specific KVM's.

Report Inappropriate Content

Just like environment has scope, cache is also having scope using which you can restrict for proxy. For target servers you don't have anything like that. Knowing only the target server and port doesn't give idea about the full path of the proxy.

guycrets

@Priyadarshi Ajitav Jena Thanks for your very fast response, but my question remains. Within a single environment, each proxy can access all caches a.o. environment config objects. Is there any restriction (permission mechanism)? Else I need to trust everyone else working in the same org/env not to read from "my" cache, read from "my" (environment) KVM etc.

Report Inappropriate Content

As I said earlier you can put particular scope for proxy in cache policies , so that other proxies will not be able to use. For target server it's not applicable.

Mostly companies have admin and developer teams separate. Login to edge UI is very restricted one.

Limit access by API proxy to specific admin/config objects?