In the Mavryx system, scopes are used to determine which microservices an application wants to use, and this is the first level of checking whether a particular microservice/service should be available to the application. At the second level of object availability checking, there are ACL lists.
Regardless of Scope or ACL, sensitive data such as ‘secrets’ or ‘passwords’ are never returned.
Scope pattern:
{service_space_name}:{access_level}
or
{service_space_name}:{resource}:{access_level}
You can use * for example me:* grants access to everything inside service/space me.
| Space / Service Name | Description | Services |
|---|---|---|
| me:manage | Enables editing of personal information. | accounts, profile, auth |
| me:view | Allows browsing of personal information. | accounts, profile, auth |
| auth:manage | auth | |
| auth:view | auth | |
| auth:clients:manage | auth | |
| auth:clients:view | auth | |
| auth:user:manage | auth | |
| auth:user:view | auth | |
Basic rule:
The first thing checked is whether the token allows access to the resource.
If not, it returns a 401 error.
If yes, then the access mode is checked. If it’s read (GET method), the access level and whether reading/writing is possible are verified. If not, it returns a 401 error.
If the access mode is write (PUT, POST, DELETE), the access level and whether writing is possible are checked. If not, it returns a 401 error.
Next, the system checks the ACL lists. Go here to learn more about how ACL lists work.