Object authorization policy

An object belongs to only one user called owner who is the creator of the object. This assignment can never be changed. The owner can perform any kind of operations on the object.

By default other users are not allowed to access and perform operations on that object.

The owner is the only one who can decide to share an object with another user. The owner grants the other user the permission to perform some specifically defined operations among the followings:

• Create
• Get
• Encrypt
• Decrypt
• Locate
• Rekey

The following operations are not sharable:

• Import
• Revoke
• Destroy
• Delegate the ability to share the object (creation, updation or deletion)

These permissions are stored inside the KMS database.

The permission system relies on the email address stored in the JWT token used to authenticate the user when accessing the API.

Endpoint

The endpoint is /accesses/{object_id}. Following HTTP methods are available:

• DELETE to remove a permission
• POST to grant a permission

The expecting data are serialized in JSON such as:

{
   "userid": "email@example.com",
   "operation_type": "Get",
   "unique_identifier": "my-object-uuid"
}

You can also list the accesses of an object using /accesses/{object_id} route with GET method. The output will be:

[
   ["user@exemple.com", ["Get", "Revoke"]],
   ["user2@exemple.com", ["Create", "Revoke"]],
   ...
]

You can list the objects you own using /objects/owned route with GET method. The output will be:

[
   ["object-id-1", "Active"],
   ["object-id-2", "Active"],
   ...
]

You can list the objects someone shared with you using /objects/shared route with GET method. The output will be:

[
   ["object-id-1", "user@example.com", "Active", ["Get", "Revoke"]],
   ["object-id-2", "user@example.com", "Active", ["Revoke"]],
   ...
]