Permission-Based Access Control
Invite new users and setup your Dfns access management with user permissions.
In this tutorial you will learn how to create permissions, how to invite users and finally how to assign permissions to users.
From the Dashboard
With APIs
Create a new Permission
A permission is a whitelist of all operations a user is allowed to take. Permissions are designed to be assigned to users to help secure your organization by enforcing the principle of least privilege.
Select a name for your Permission, and the operations to whitelist. Here, only allowing assigned users read-only access to the wallets:
userActionPayload = {
"name": "Wallet_Read_User",
"operations": ["Wallets:Read"]
}
userActionHttpMethod = "POST"
userActionHttpPath = "/permissions"Follow the process here to authorize the action request a get a
userActiontoken that you can include in your request as theX-DFNS-USERACTIONheader.Call the permission creation endpoint:
POST /permissions
fetch(`${baseURL}${userActionHttpPath}`, {
method: userActionHttpMethod,
headers: {
"Content-Type": "application/json",
Authorization: `Bearer ${token}`,
"X-DFNS-USERACTION": userAction,
},
body: JSON.stringify(userActionHttpMethod),
})That's it! You have created a new permission! Now, let's get it assigned to a new user.
Invite a New User
We will invite a new User as an employee from your company. Employees can also access the dashboard and use the APIs. If you want to invite your End users then look at Delegated Registration.
When you invite a user, he will receive a registration email with a code allowing him to register to your organization. That user will be created without any permission. Just input his email:
userActionPayload = {
"email": "[email protected]",
"kind": "CustomerEmployee"
}
userActionHttpMethod = "POST"
userActionHttpPath = "/auth/users"Follow the process here to authorize the action request a get a
userActiontoken that you can include in your request as theX-DFNS-USERACTIONheader.Call the user creation endpoint:
POST /auth/usersto initiate the registration process.
fetch(`${baseURL}${userActionHttpPath}`, {
method: userActionHttpMethod,
headers: {
"Content-Type": "application/json",
Authorization: `Bearer ${token}`,
"X-DFNS-USERACTION": userAction,
},
body: JSON.stringify(userActionHttpMethod),
})The new user has been created and has received instructions to create his own credentials. We don't need to wait for him to complete his registration, let's go ahead and assign him our permission!
Assign Permissions
Final step! Let's give our user the rights he deserves! We will the assign permission endpoint to link it to the user we just created
Not much choice here, just input the ids gathers above:
userActionPayload = {
"identityId": "{userId}"
}
userActionHttpMethod = "POST"
userActionHttpPath = "/permissions/{permission id}/assignments"Follow the process here to authorize the action request a get a
userActiontoken that you can include in your request as theX-DFNS-USERACTIONheader.Call the permission assignment endpoint:
POST /permissions/{permission id}/assignmentsto grant the permission:
fetch(`${baseURL}${userActionHttpPath}`, {
method: userActionHttpMethod,
headers: {
"Content-Type": "application/json",
Authorization: `Bearer ${token}`,
"X-DFNS-USERACTION": userAction,
},
body: JSON.stringify(userActionHttpMethod),
})Contrats! You have built the base of a taylored identity management policy, you can now keep refining and assign to your complete user base.
Last updated