Permissions Overview
Last updated
Last updated
Permissions enable you to control access to the API on a granular basis (following the ). As an example, if you have an employee who needs to initiate payments, but shouldn't be able to manipulate policies, you can do that.
Start by with some allowed operations in it, and to a User.
Permission - a Permission contains a set of Operations, and can be assigned to users (or Service-Accounts, or Applications). When assigned to a user, a Permission allows him to perform these operations in our API. Each created Permission has a unique name, and unique ID. A Permission can be assigned to one user, or to multiple users, depending on what you need.
Operation - an operation can be added to a Permission, and grants access to one action in the API. There is a fixed list of operations () that you can include in Permissions. Every API endpoint requires one (or several) operations to use it. Eg. the endpoint is the operation Wallets:Create
.
Assignment - or "Permission Assignment", is the assignment of a given Permission to a given User (or Service-Account, or Application). A permission can be assigned to a User (aka "granted"), or un-assigned from him (aka "revoked").
When your Dfns organisation is created, some Permissions already exist in it. They are special, some of them are automatically assigned, and some of them are immutable (cannot be updated or archived).
DfnsFullAdminAccess
This Permission is automatically assigned to the first User of the Organisation. It includes all existing (and future) operations available in Dfns API. It's immutable, so you cannot update it or archive it. You can only assign it or revoke it.
DfnsDefaultEndUserAccess
This unique Permission is assigned by default to any new EndUser in your organisation, and comes with an initial set of operations (which you can update at any time) allowing any EndUser
to "do stuff with the wallet he owns" by default. Here are the initial set of operations in this permission:
This permission is meant to facilitate end-user permission management. Since all your end users have this permission assigned by default, you don't necessarily need to explicitly grant them other permissions to allow them to use their wallets, and you only need to modify this one permission to affect all your end users at once.
This permission is not immutable, and you still have full-control over it (update operations in it, un-assign it, deactivate it, though these last two are probably edge-cases)
Here's a list of all operations available in Dfns API: