Identity-Based Microsegmentation Guide
LAST UPDATED: October 8, 2021

Authorization

Basics

Once the Microsegmentation Console knows the identity of the caller, it checks the API authorizations to decide if the user is allowed to perform the operation or not.

API authorizations use a tag expression that is based on the claim’s data field as a subject to assign roles to the caller. Roles contain a list of allowed resources and operations.

For instance, the role Namespace Administrator gives full read/write permissions on a namespace while the role Enforcer only gives permissions necessary for an enforcer to work properly.

Reusing the examples in Authentication it is possible to create the following API authorizations. As you can see below, the content of the tags in the subject field are coming from the data section of the JWT. They must be converted to @auth:<lower-case-key>=<value> to avoid any confusion with other tags.

Make the company account administrator a namespace administrator

The following API authorization makes the user, coming with a token for the account “company”, an administrator on the namespace /mynamespace and all the child namespaces.

field description
subject @auth:realm=vince and @auth:account=company
object @auth:role=namespace.administrator
namespace /acme
propagate true

@auth:realm=vince indicates that the token is coming from an Aporeto account.

Make the AWS security token bearer an enforcer

The following API authorization makes the user, coming with a token from AWS that has the role segment, an enforcer on the namespace /acme/app/gitlab only.

field description
subject @auth:realm=awssecuritytoken and @auth:rolename=segment
object @auth:role=enforcer
namespace /acme/app/gitlab