Appendix2 (Security)
- Jules DELEUZE (Unlicensed)
- Joël DRIGO
Base security
The object_data security domain is applied for any CRUD operation until the secure parameter is set to true in service configuration, or with the secure request parameter.
Additional security rules
As a default, security rules defined in configuration are applied before any action, making sure the user is allowed to view / update / create / delete / workflow…
Additional rules can be added for REST access to data. Such rules need to be created in the RESTAPI domain.
Domain
All the REST API is ruled by one domain, called RESTAPI. If the domain exists, it can be deactivated to disable all rules. If the domain exists, but not a endpoint action, the global action is used to control access. If the global action doesn’t existe, the access is granted or not depending of the value of the plugin parameter allowAccessIfActionDoesntExist (see Appendix1 (Configuration) ).
Global action
One action can be used to rule all service access : api.
The parameters for this action are:
Name | Type | Description | Optional |
|---|---|---|---|
request |
| The HTTP request | No |
endPoint |
| The ID of endpoint | No |
endPointType |
| Type of endpoint | No. |
surfer |
| The surfer | No |
objectName |
| The structure object name | Yes. Depends on the endpoint. |
resourceName |
| The resource name | Yes. Depends on the endpoint. |
fieldName |
| The name of the object field | Yes. Depends on the endpoint. |
preset |
| The name of the preset | Yes. Depends on the endpoint. |
You can control access to a particular endpoint by a specific action by creating one whose name is the ID of the corresponding endpoint parameter.
Some parameters may not be present depending on the service. Refer to the descriptions of the specific actions/endpoints to see which parameters are specified in each case.
Parameter mappings
In the global action, some parameters of specific actions are mapped to standard parameters:
Specific action parameter name | Global action parameter name |
|---|---|
actionName | resouceName |
viewName | resouceName |
service | resourceName |
Specific actions per endpoint
All the REST API is ruled by one domain, called RESTAPI. Many actions allow to configure access to different end points.
Endpoint ID | Endpoint type | Description |
|---|---|---|
catalog | Â | catalog endpoints (legacy services) |
Parameters | request | |
surfer | ||
endPoint = endPointType | ||
endPointType | ||
collection_add | collection | add item to collection |
Parameters | request | |
surfer | ||
actionName | ||
endPointType | ||
collection_clear | collection | remove collection items |
Parameters | request | |
surfer | ||
actionName | ||
endPointType | ||
create | createorupdate | create endpoint (legacy) |
Parameters | request | |
surfer | ||
actionName | ||
endPointType | ||
dam_aggs | dam | aggregates endpoint (dam) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
dam_asset | dam | assets list (also assets by type/nature) endpoint |
Parameters | request | |
surfer | ||
endPointType | ||
dam_asset_aggs | dam | assets aggregates endpoint (dam) |
Parameters | request | |
surfer | ||
endPointType | ||
dam_asset_headers | dam | asset list headers endpoint |
Parameters | request | |
surfer | ||
endPointType | ||
dam_catalog | dam | catalog endpoint (dam) |
Parameters | request | |
surfer | ||
endPoint = endPointType | ||
endPointType | ||
dam_create | dam | create endpoint (dam) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
dam_delete | dam | delete endpoint (dam) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
dam_list | dam | list endpoint (dam) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
dam_list_headers | dam | list headers endpoint (dam) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
dam_lock | dam | lock endpoint (dam) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
dam_read | dam | data read endpoint (dam) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
dam_read_headers | dam | read headers endpoint (dam) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
dam_preset | dam | preset endpoint (dam) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
dam_preview | dam | preview endpoint (dam) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
dam_resource | dam | binary resource endpoint (dam) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
dam_search | dam | search endpoint (dam) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
data_show_workflow | dam | show workflow endpoint (dam) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
dam_tree | dam | tree endpoint (dam) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
dam_unlock | dam | unlock endpoint (dam) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
dam_update | dam | update endpoint (dam) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
dam_update_binary | dam | update binary endpoint (dam) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
dam_workcopy | dam | workcopy endpoint (dam) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
dam_workflow | dam | workflow endpoint (dam) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
data_aggs | data | aggregates endpoint (data) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
data_assign | data | data collection item assignation end point (data) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
fieldName | ||
endPointType | ||
data_catalog | data | catalog endpoint (data) |
Parameters | request | |
surfer | ||
endPoint = endPointType | ||
endPointType | ||
data_create | data | create endpoint (data) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
data_delete | data | delete endpoint (data) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
data_list | data | list endpoint (data) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
data_list_headers | data | list headers endpoint (data) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
data_lock | data | lock endpoint (data) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
data_read | data | data read endpoint (data) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
data_read_headers | data | read headers endpoint (data) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
data_resource | data | binary resource endpoint (data) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
data_show_workflow | data | show workflows |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
data_tree | data | tree endpoint (data) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
data_preset | data | preset endpoint (data) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
data_preview | data | preview endpoint (data) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
data_search | data | search endpoint (data) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
data_show_workflow | data | show workflow endpoint (data) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
data_unlock | data | unlock endpoint (data) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
data_update | data | update endpoint (data) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
data_update_binary | data | update binary endpoint (data) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
data_workcopy | data | workcopy endpoint (data) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
data_workflow | data | workflow change endpoint (data) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
delete | delete | delete endpoint (legacy) |
Parameters | request | |
surfer | ||
actionName | ||
endPointType | ||
extension_invoke | extension | extension service invokation (legacy) |
Parameters | request | |
surfer | ||
service | ||
endPointType | ||
imageprocessing | imageprocessing | image processing endpoint (legacy) |
Parameters | request | |
surfer | ||
actionName | ||
endPointType | ||
lock | createorupdate | lock endpoint (legacy) |
Parameters | request | |
surfer | ||
actionName | ||
endPointType | ||
locks_get | createorupdate | lock status get endpoint (legacy) |
Parameters | request | |
surfer | ||
actionName | ||
endPointType | ||
massimport_aggs | massimport | aggregates endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_assign | massimport | data collection item assignation end point (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_create | massimport | create endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_data_aggs | massimport | aggregates endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_data_assign | massimport | data collection item assignation end point (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_data_create | massimport | create endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_data_delete | massimport | delete endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_data_list | massimport | list endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_data_list_headers | massimport | list headers endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_data_lock | massimport | lock endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_data_read | massimport | data read endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_data_read_headers | massimport | read headers endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_data_preset | massimport | preset endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_data_preview | massimport | preview endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_data_resource | massimport | binary resource endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_data_search | massimport | search endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_data_show_workflow | massimport | show workflow endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_data_tree | massimport | tree endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_data_unlock | massimport | unlock endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_data_update | massimport | update endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_data_update_binary | massimport | update binary endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_data_workcopy | massimport | workcopy endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_data_workflow | massimport | workflow change endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_delete | massimport | delete endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_job_changestate | massimport | job change status endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_job_import | massimport_import | job file import endpoint (massimport) |
Parameters | request | |
surfer | ||
 |  | endPointType |
massimport_job_import_delete | massimport_import | delete job file import endpoint (massimport) |
 | Parameters | request |
 |  | surfer |
 |  | endPointType |
massimport_list | massimport | list endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_list_headers | massimport | list headers endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_lock | massimport | lock endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_preset | massimport | preset endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_preview | massimport | preview endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_read | massimport | data read endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_read_headers | massimport | read headers endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_resource | massimport | binary resource endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_show_workflow | massimport | show workflow endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_search | massimport | search endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_tree | massimport | tree endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_unlock | massimport | unlock endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_update | massimport | update endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_update_binary | massimport | update binary endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_workcopy | massimport | workcopy endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
massimport_workflow | massimport | workflow change endpoint (massimport) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
profil_assign | profile | data collection item assignation end point (profile) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
profil_create | profile | create endpoint (profile) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
profil_delete | profile | delete endpoint (profile) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
profil_list | profile | list endpoint (profile) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
profil_list_headers | profile | list headers endpoint (profile) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
profil_lock | profile | lock endpoint (profile) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
profil_preset | profile | preset endpoint (profile) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
profil_preview | profile | preview endpoint (profile) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
profil_resource | profile | binary resource endpoint (profile) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
profil_search | profile | search endpoint (profile) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
profil_unlock | profile | unlock endpoint (profile) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
profil_update | profile | update endpoint (profile) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
profil_updatebinary | profile | update binary endpoint (profile) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
profil_update_me | profile | user update himself endpoint (profile) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
profil_delete_me | profile | user delete himself endpoint (profile) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
profil_workcopy | profile | workcopy endpoint (profile) |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
resource | resource | resource endpoint (legacy) |
Parameters | request | |
surfer | ||
viewName | ||
endPointType | ||
tree | tree | treeview endpoint (legacy) |
Parameters | request | |
surfer | ||
viewName | ||
endPointType | ||
patch | createorupdate | patch endpoint (legacy) |
Parameters | request | |
surfer | ||
actionName | ||
endPointType | ||
unlock | createorupdate | unlock endpoint (legacy) |
Parameters | request | |
surfer | ||
actionName | ||
endPointType | ||
update | createorupdate | update endpoint (legacy) |
Parameters | request | |
surfer | ||
actionName | ||
endPointType | ||
usermention_delete | usermention | usermention delete endpoint |
usermention_list | usermention | usermention list endpoint |
usermention_markread | usermention | mark usermention read endpoint |
usermention_read | usermention | read usermention endpoint |
usermention_read_headers | usermention | read headers usermention endpoint |
usermention_unread | usermention | unread usermention count endpoint |
userpref | system | user preference endpoint |
Parameters | request | |
surfer | ||
method (READ, WRITE, DELETE) | ||
namespace | ||
key | ||
name | ||
variation | variation | variation (preset) endpoint |
Parameters | request | |
surfer | ||
resourceName | ||
objectName | ||
endPointType | ||
preset | ||
view | view | view endpoint (legacy) |
Parameters | request | |
surfer | ||
viewName | ||
endPointType | ||
whoami | system | whoami endpoint |
Parameters | request | |
surfer | ||
workflow_actions | createorupdate | workflow action list endpoint (legacy) |
Parameters | request | |
surfer | ||
actionName | ||
endPointType | ||
workflow_do | createorupdate | workflow change endpoint (legacy) |
Parameters | request | |
surfer | ||
actionName | ||
endPointType | ||
Â