Skip to main content

Using Roles

In Vista, you can think of roles as an grouping of permissions. Roles can be granted directly (resource IDs are evaluated implicitly), as well as directly on resource IDs.

The following shows how a role can be granted to a user:

v.users.grant_role('user_id', 'role_id')
# for a particular objectv.users.grant_role('user_id', 'role_id', 'resource_id', 'resource_type')
# examplev.users.grant_role('richard_hendricks', 'reader')v.users.grant_role('richard_hendricks', 'reader', 'doc_123456', 'document')

In our example, Richard is granted the read action on doc_123456.

All Operator#

You can use VistaClient.ALL in place where resource_id or resource_type is accepted to indicate all.

Inheritance#

When a role is being created, you can specify a parent roles to inherit from. All of the permissions granted on the parent role are also granted to the new child role. In our example, we created the writer role, which inherited read on document - we also granted the write action on document as well.

The following shows how a role can be granted to a user, for a particular resource object:

v.users.grant_role('richard_hendricks', 'writer', 'doc_123456', 'document')

In our example, Richard is granted the read and write actions on doc_123456.