pattern based permissions for custom roles

zubermohammad · 02-21-2023 01:12 AM

Dears,

We are having multiple project teams each working on their separate set of APIs and other artifacts such as KVMs, Caches and target servers. We are planning to have a RBAC access to isolate these project teams' artifacts.

Project 1 - AT10

Project 2- BT20

We have all artifacts prefixed with their id e.g. at10_customer_management, bt20_product_management.

We don't want Project 1 to have access to Project 2 APIs and artifacts in Apigee. One approach is creating custom role for each project and add the individual API artifact names in the custom role. But this is not scalable as each time an artifact is created by a Project it will need to be added to custom role.

Is there a possibility of creating role with permission as 'at10_*' so that all the APIs or artifacts starting with this will be allowed in role.

apickelsimer

If you are using Apigee X/hybrid, you can have wildcard based RBAC controls. I suggest you review the article that covers this topic in detail:

https://www.googlecloudcommunity.com/gc/Cloud-Product-Articles/RBAC-with-Fine-Grained-Access-Apigee-...

zubermohammad

Thanks @apickelsimer , we have OPDK, where these features are not available. I checked the permissions reference and could find that only hardcoded values are supported for the artifacts or environments. Wild card based is not working using the roles and permissions management API.

Any plans to add this feature in OPDK?

apickelsimer

I am not aware of any plans to add this feature to OPDK.