Using Roles
In Vista, you can think of roles as an grouping of permissions. Roles can be granted directly (resource IDs are evaluated implicitly), as well as directly on resource IDs.
The following shows how a role can be granted to a user:
v.users.grant_role('user_id', 'role_id')
# for a particular objectv.users.grant_role('user_id', 'role_id', 'resource_id', 'resource_type')
# examplev.users.grant_role('richard_hendricks', 'reader')v.users.grant_role('richard_hendricks', 'reader', 'doc_123456', 'document')
In our example, Richard is granted the read
action on doc_123456
.
#
All OperatorYou can use VistaClient.ALL
in place where resource_id or resource_type is accepted to indicate all.
#
InheritanceWhen a role is being created, you can specify a parent roles to inherit from. All of the permissions granted on the parent role are also granted to the new child role. In our example, we created the writer
role, which inherited read
on document
- we also granted the write
action on document
as well.
The following shows how a role can be granted to a user, for a particular resource object:
v.users.grant_role('richard_hendricks', 'writer', 'doc_123456', 'document')
In our example, Richard is granted the read
and write
actions on doc_123456
.