Authorize By Role
- John Brinckwirth
- Kendy Li
Overview
Use the Authorize By Role policy to authorize a request based on a role associated with the client. All of the APIM authentication policies define how the user is authenticated and which role is authorized. You need to configure the Authorize by Role policy to indicate which of those roles should be authorized. If the role is not called out by this policy, the request is not processed. Unauthorized requests are rejected with a '403 Forbidden' error.
Policy Execution Order
This Authorize By Role policy executes after the request has been authenticated.
Authorization Flow
The Authentication Policy tells the policy owner who the user is by your user id and your role. Authentication is always completed first, and an HTTP 401 response code is returned if the authentication policy criteria are not satisfied. After the Authentication policies run, the authorization policy runs. The Authorize by Role policy uses the info from the Authentication policies, to grant or deny permission to run the API. By default, the specified roles are checked against the role set in the policy.
You can also add additional conditions to refine the access. The first condition, true by default, has a role that the user is part of to grant access (if not a 403 is returned).
Both the User Id and Role field values are required (except for anonymous, the default role in the Anonymous Authenticator policy. You use a role to grant access by role: the Role value is for authorization, and the User id (in other words, the IP address for anonymously authenticated users) is used to count your rate limiting. Additionally, you can use the remoteUser function to pass into the pipeline automatically with a pipeline parameter.
You can use the IsUserinRole function to define the ServiceTier Conditions in the Client Throttling policy. The authentication policies define the role, and the Authorization by Role policy performs a check against the ServiceTiers. The following table lists the policies that invoke the Role.
Policy | Field that references Authorize by Role policy |
|---|---|
Anonymous Authenticator | Role |
Generic OAuth2 | Role |
Callout Authenticator | Roles Expression |
JWT Token | Roles Expression |
All other policies | By reference using an APIM Expression Language function |
Settings
Parameter Name | Description | Default Value | Example |
|---|---|---|---|
Label | Required. The name for the API policy. | Authorize By Role | Task authorize by role |
When this policy should be applied | An expression enabled field that determines the condition to be fulfilled for the API policy to execute. For example, if the value in this field is request.method == "POST", the API policy is executed only if the request method is a POST. | True | request.method == "POST" |
Roles | The list of role names that should be authorized to access tasks. If the client is in any of these roles, the request is allowed to continue. | N/A | N/A |
Role | The name of the role that should be allowed access. | N/A | anonymous |
Condition | An expression that checks additional conditions that must be true before the request will be authorized. | N/A | request.method matches “HEAD”|”GET” |
Status | Indicates whether the API policy is enabled or disabled. | Enabled | Disabled |
Related Content
Have feedback? Email documentation@snaplogic.com | Ask a question in the SnapLogic Community
© 2017-2025 SnapLogic, Inc.