You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: doc/API/V1.md
+55-5Lines changed: 55 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -161,8 +161,58 @@ This searches across `hostname`, `sysName`, and `os` for devices.
161
161
162
162
## Access Control
163
163
164
-
-**Devices and Ports** Users with global read access see all resources. Other users only see resources they have been granted access to.
165
-
-**Alert Templates** Users with global read access can view. Only admins can create, update, or delete.
166
-
-**Alert Rules** Users with global read access can view. Only admins can create, update, or delete. Results are scoped to devices the user has access to.
167
-
-**Device Groups** Users with global read access can view. Only admins can create, update, or delete. Results are scoped to groups the user has access to.
168
-
-**Users** Only admins can list all users. Non-admin users can only view their own profile.
164
+
### Authorization flow
165
+
166
+
Every request runs through the same four stages. It must clear **all** of them or it is
167
+
rejected with the status shown:
168
+
169
+
```
170
+
Request + Bearer token
171
+
│
172
+
1. Authentication ............... valid Sanctum token? no → 401 Unauthenticated
173
+
│ yes (token → user)
174
+
2. API access permission ........ user has `api.access`? no → 403 Forbidden
175
+
│ yes
176
+
3. Per-action authorization ..... policy allows this verb? no → 403 Forbidden
177
+
│ yes (viewAny / view / create / update / delete)
178
+
4. Result scoping ............... record(s) within user's scope? out of scope → filtered
179
+
│ (a single show → 404)
180
+
▼
181
+
Response
182
+
```
183
+
184
+
1.**Authentication** the `auth:sanctum` middleware resolves the token to a user. See [Authentication](#authentication).
185
+
2.**API access permission** the user must hold the `api.access` permission. It is granted to the **admin** and **global-read** roles out of the box; other roles need it added explicitly. Without it, no v1 endpoint is reachable.
186
+
3.**Per-action authorization** each HTTP verb maps to a Laravel policy method on the resource's model: `index → viewAny`, `show → view`, `POST → create`, `PATCH/PUT → update`, `DELETE → delete` (Restify also checks `allowRestify`). Two shortcuts apply: **admins** pass every check, and **global-read** users pass every *read* check (`view*` / `show`).
187
+
4.**Result scoping** even when a user may use an endpoint, the rows they get back are filtered to what they're allowed to see. How that filter works depends on the repository's *flavor* (below). A `show` for an out-of-scope id returns `404`.
188
+
189
+
### Roles at a glance
190
+
191
+
| Role | API access | Can read | Can write (create/update/delete) |
192
+
|------|:---:|---|---|
193
+
|**admin**| ✓ | everything | everything |
194
+
|**global-read**| ✓ | everything (read-only) | no (unless a policy allows it) |
195
+
|**user** / custom | only if `api.access` is granted | only resources they're scoped to | only where a policy allows |
196
+
197
+
### Repository scoping flavors
198
+
199
+
Stage 4 is implemented per repository. Most resources fall into one of these flavors:
200
+
201
+
| Flavor | How results are filtered | Example resources |
|**Device-scoped**| To devices the user has access to. |`devices`, `sensors`, `processors`, `storage`, `mempools`, `alerts`, `alert-rules`, `device-groups`, `locations`, `bills`, `inventory`, BGP/OSPF/MPLS peers & tunnels, … (~44 resources) |
204
+
|**Port-scoped**| To ports the user is granted **plus** every port on a device they can see (broader than device access). |`ports`, `port-statistics`, `transceivers`, `ipv4-addresses`, `ipv6-addresses`, `routes`, `port-vlans`, `pseudowires`, … (~19 resources) |
205
+
|**Global**| Not filtered per record visible to anyone who clears stages 1–3 (typically global-read or admin). |`alert-templates`, `poller-groups`, `poller-clusters`, `ipv4-networks`, `ipv6-networks`, `auth-logs`, … |
206
+
|**Owner-scoped**| To the caller's own records. |`users` (admins see all; everyone else sees only their own profile) |
207
+
208
+
For how a new repository opts into a flavor (the `DeviceScopedRepository` / `PortScopedRepository`
209
+
traits and the `DeviceRelatedModel` / `PortRelatedModel` base models), see
210
+
[Creating API v1 Resources › Access Control Patterns](../Developing/Creating-API-Resources.md#access-control-patterns).
211
+
212
+
### Per-resource notes
213
+
214
+
-**Devices and Ports** Global-read users see all; others see only the devices/ports they've been granted.
215
+
-**Alert Templates** Global-read users can view; only admins can create, update, or delete.
216
+
-**Alert Rules** Viewable with global read; only admins can create, update, or delete. Results are scoped to devices the user has access to.
217
+
-**Device Groups** Viewable with global read; only admins can create, update, or delete. Results are scoped to the groups the user can access.
218
+
-**Users** Only admins can list all users; non-admin users can only view their own profile.
0 commit comments