The API supports two forms of access control:
- Roles on organisation level
- Access Control Lists (ACL) on application level
Users with the role "ROLE_CHIEF" are administrators of an organization. They have access to everything, are able to create new applications, and can modify the access control lists.
Users with the role "ROLE_OPERATOR" are privileged users that can access all applications of an organization, they can not modify other users or system settings though.
Access Control Lists
For precise control over permissions ACLs on application level can be used. An ACL can either apply to a single user or to a team, and it always restricts access to a single application and its sub components.
|view||Required for most GET requests|
|delete||Required for most DELETE requests|
|create||Required for most POST requests|
|edit||Required for most PATCH requests|
|scan||Required for scan related actions|
|manage||Extended application access (moderation)|
Certain requests require combinations of permissions. For example, to modify a scan a user needs the permissions "scan" and "edit".
When permission requirements are not met a
403 error is thrown.