User permissions for firefly

ursboller

MVP

27-05-2020

is there any option to set permissions per user of an org? as far as I understand everybody can use the apps as soon as the user has access to the API's used in the project.

but the modt use cases I have in mind need an admin (for settings) and users without any API access.

what are other solutions? write 2 apps which share data? one for "read/interact" and the other for "API interactions"?

what I would love to have is an option to rely on new/existing product profiles or user groups from the admin console...

Accepted Solutions (1)

Accepted Solutions (1)

sarahxxu

27-05-2020

Hi @ursboller 

Currently, access is granted based on the user's existing product access. A user needs to have access to all the products used by the app to access it. Let's say the app uses Analytics and Campaign, a user needs to have access to both to be able to use the app.

We'd love to be able to offer more flexible and customizable access control -- but that's definitely more on the future-looking side for us at the moment. 

I'd suggest being on the more cautious side exploring workarounds at the moment because the forced access control is put in place so that enterprise users would not have access to data that they are not provisioned with.

To learn more about security...

how is "access to data" defined regarding analytics? is it "access to the API"? because a single user can have access to just part of the analytics data (by report suite setting)...
We check whether the user has product context in their user profile. On finer control, Analytics is interesting example! Unlike other APIs, Analytics 2.0 allows 2 types of integration, OAuth and Service Account. OAuth allows the developer to leverage user's individual user access while Service Account grants access to all data. When an action is invoked, by default, an access token is always required to authorize and to authenticate your action. This access token is also use for any API calls inside your action! So in the case of Analytics, if you set up an OAuth integration, using the user access token ensures that user can ONLY see data they currently have access to based on prior access control rules (put in through Admin Console or AA).
awesome! thanks for all the details. does it mean a user can access the app without restrictions, as long as there is no specific action used (where the user maybe doesn't have permission)?
Not exactly -- every action, even the generic one just printing out text, built with firefly (by default) has a flag `require-adobe-auth:` enabled to true. this means the action WILL expect an access token when it's invoked. this access token is used by our validator to check whether this user / service should have access to this action. (see docs for more detail). There are two gated layers -- the first one is this. The second one is we recommend only using the access token passed in to make api calls, this ensures secure data access.
ok, everything makes mire sense now. thanks a lot for your replies!

Answers (1)

Answers (1)

Mihai_Corlan

Employee

27-05-2020

Hello there,

 

We have on our roadmap to add support for user access control in the Admin Console. Until then, we only support out of the box the use case where the user has access to the data in the first place.

 

cheers,

Mihai