Access Controls

The API supports two forms of access control:

  • Roles on organisation level
  • Access Control Lists (ACL) on application level

Roles

Chief

Users with the role "ROLE_CHIEF" are administrators of an organization. They have access to everything, are able to create new applications, and can modify the access control lists.

Operator

Users with the role "ROLE_OPERATOR" are privileged users that can access all applications of an organization, they can not modify other users or system settings though.

Access Control Lists

For precise control over permissions ACLs on application level can be used. An ACL can either apply to a single user or to a team, and it always restricts access to a single application and its sub components.

NameDescription
viewRequired for most GET requests
deleteRequired for most DELETE requests
createRequired for most POST requests
editRequired for most PATCH requests
scanRequired for scan related actions
manageExtended application access (moderation)

Certain requests require combinations of permissions. For example, to modify a scan a user needs the permissions "scan" and "edit".

When permission requirements are not met a 403 error is thrown.