Portal & Permissions
While at API level, permissions are very granular, the Portal are designed to provide a user friendly way to benefit from the various features of Astran. Thus, while it's protected by the same permission system, a user might need more accesses to perform a single action than the one required by the API.
As an example, to update a user, the user needs to have access to the user list and user itself. Thus, he needs to have the "iam:ListUsers" permission along with the "iam:GetUser" before being able to do an update.
This page will detail the various permissions available, and how they are used in the Portal.
General
iam:SimulatePrincipalPolicy is required to be able to see the permissions required for a given action.
Shall it not be granted, the user will not see any limitations on the actions but they will be rejected at submission time.
Dashboard
| Action | Permissions required | What happens if permissions are not granted |
|---|---|---|
| View metrics and list of kits | ck:ListKitsck:ListKitsStats | A 403 Forbidden page is shown |
Kits
| Action | Permissions required | What happens if permissions are not granted |
|---|---|---|
| List kits | ck:ListKitsck:ListKitsStats | A 403 Forbidden page is shown |
| Create kit | ck:ListKitsck:CreateKit | The create button is shown as Forbidden |
| View kit | ck:GetKit | A 403 Forbidden page is shown if the user tries to access the kit page. In the listing, a lock icon is shown next to the kit name |
| Delete kit | ck:GetKitck:DeleteKit | The delete button is shown as Forbidden |
| Update kit | ck:GetKitck:UpdateKit | The "Edit" button is shown as Forbidden |
| Manage kit data | Any s3 permission required on the associated bucket | ø |
| Execute process | ck:GetKits3:PutObject in the executed-processes/* folder of the kit associated to the bucket*/ | The "Edit" button is shown as Forbidden |
Note that when you open a kit, you can get the associated bucket name by clicking on the more actions icon the Open associated bucket.
The bucket name for this kit appears in the URL and start with kit-\<kit-id\> where \<kit-id> is a string composed of letters and numbers.
Data explorer
While from an API standpoint the objects in S3 can be manipulated differently according to the versioning status of the bucket, the Portal requires to have the permissions on the versioned flavored actions (which apply to all buckets).
| Action | Permissions required | What happens if permissions are not granted |
|---|---|---|
| List buckets | s3:ListAllMyBuckets | A 403 Forbidden page is shown on the Data explorer page |
| Create bucket | s3:CreateBucket s3:PutBucketVersioning to have a versioned bucket | The "New bucket" button appears as Forbidden |
| Delete bucket | s3:DeleteBucket | The "Delete" button appears as Forbidden |
| Get bucket versioning status | s3:GetBucketVersioning | The versioning status is not shown and the bucket is considered as not versioned |
| Update bucket versioning status | s3:PutBucketVersioning | The versioning status is not shown and the bucket is considered as not versioned, it cannot be updated. |
| View bucket content | s3:ListBucketVersions on a given bucket | A 403 Forbidden page is shown if the user tries to access the bucket. In the listing, a lock icon is shown next to the bucket name |
| View object content | s3:HeadObject s3:GetObjectVersion on a given object | A 403 Forbidden page is shown if the user tries to preview the object - the download button is unavailable. In the listing, a lock icon is shown next to the object name |
| Download object | s3:GetObjectVersion on a given object | The download button is unavailable. In the listing, a lock icon is shown next to the object name |
| Upload object or Create folder | s3:PutObject on a given bucket | The "New" button appears as Forbidden |
| Delete object | s3:DeleteObjectVersion on a given object | The delete button is unavailable. |
Access control
Groups
| Action | Permissions required | What happens if permissions are not granted |
|---|---|---|
| List groups | iam:ListGroups | A 403 Forbidden page is shown |
| Create group | iam:ListGroups iam:CreateGroup | The "New group" button appears as Forbidden |
| Delete group | iam:ListGroups iam:DeleteGroup | The "Delete" button appears as Forbidden |
| Attach group policy | iam:ListGroups iam:ListAttachedGroupPolicies iam:AttachGroupPolicy | The "Attach policy" button appears as Forbidden |
| Detach group policy | iam:ListGroups iam:ListAttachedGroupPolicies iam:DetachGroupPolicy | Clicking on an attached policy to detach it will not be possible |
Policies
| Action | Permissions required | What happens if permissions are not granted |
|---|---|---|
| List policies | iam:ListPolicies | A 403 Forbidden page is shown |
| Create policy | iam:ListPolicies iam:CreatePolicy | The "New policy" button appears as Forbidden |
| View a policy document | iam:ListPolicies iam:GetPolicy | The policy document and associated versions will not be visible |
| Get policy version | iam:ListPolicies iam:GetPolicyVersion | The "Delete" button appears as Forbidden |
| Delete a previous version | iam:ListPolicies iam:GetPolicy iam:DeletePolicyVersion | When clicking on the versions listing of the policy, the user will not be able to delete a previous version |
| Create a new policy version | iam:ListPolicies iam:CreatePolicyVersion | The "edit" button on a policy document will appear as Forbidden |
| Update active policy version | iam:ListPolicies iam:GetPolicy iam:GetPolicyVersion iam:SetDefaultPolicyVersion | When clicking on the versions listing of the policy, the user will not be able to choose a version and set it as active |
| List policy versions | iam:ListPolicies iam:ListPolicyVersions | The user will not be able to see the policy versions nor to update the current active one |
| View groups for a policy | iam:ListPolicies iam:ListEntitiesForPolicy | The list of groups associated to the policy will be empty |
Users
| Action | Permissions required | What happens if permissions are not granted |
|---|---|---|
| List users | iam:ListUsers | A 403 Forbidden page is shown |
| Create user | iam:ListUsers iam:GetUser iam:CreateUser | The "New user" button appears as Forbidden |
| Delete user | iam:ListUsers iam:GetUser iam:DeleteUser | The "Delete" button appears as Forbidden |
| Attach user to a group | iam:ListUsers iam:GetUser iam:ListGroupsForUser iam:AddUserToGroup | The "Edit groups" button will be forbidden in case you can neither attach nor detach the user from a group |
| Detach user from a group | iam:ListUsers iam:GetUser iam:ListGroupsForUser iam:RemoveUserFromGroup | The "Edit groups" button will be forbidden in case you can neither attach nor detach the user from a group |
| Update a user permission boundary | iam:ListPolicies iam:GetUser iam:UpdateUserPermissionBoundary | The "Edit permission boundary" button will appear as Forbidden in case neither the update nor the removal is possible |
| Remove a user permission boundary | iam:ListPolicies iam:GetUser iam:DeleteUserPermissionBoundary | The "Edit permission boundary" button will appear as Forbidden in case neither the update nor the removal is possible |