Skip to main content

Version: 3.2.16.3

Permission Policy Examples

Full Access to All Resources

{
"statement": [
{
"resources": [
"<.*>"
],
"actions": [
"<.*>"
],
"effect": "allow"
}
]
}

View-only to All Resources

{
"statement": [
{
"resources": [
"<.*>"
],
"actions": [
"<.*>Get<.*>"
],
"effect": "allow"
}
]
}

View-only to Specific Gateway Groups

{
"statement": [
{
"resources": [
"arn:api7:gateway:gatewaygroup/{gateway group id 1}",
"arn:api7:gateway:gatewaygroup/{gateway group id 2}" // Use gateway group id to identify
],
"actions": [
"<.*>Get<.*>"
],
"effect": "allow"
},
{
"resources": [
"arn:api7:gateway:gatewaygroup/{gateway group id 1}/publishedservice/<.*>",
"arn:api7:gateway:gatewaygroup/{gateway group id 2}/publishedservice/<.*>" // View-only to all published services on these gateway groups
],
"actions": [
"<.*>Get<.*>"
],
"effect": "allow"
}
]
}

Full Access to Specific Gateway Groups

{
"statement": [ // Multiple statements within a policy function with an OR relationship.
{
"resources": [
"arn:api7:gateway:gatewaygroup/{gateway group id 1}",
"arn:api7:gateway:gatewaygroup/{gateway group id 2}" // Use gateway group id to identify
],
"actions": [
"<.*>"
],
"effect": "allow"
},
{
"resources": [
"arn:api7:gateway:gatewaygroup/{gateway group id 1}/publishedservice/<.*>",
"arn:api7:gateway:gatewaygroup/{gateway group id 2}/publishedservice/<.*>" // Full access to all published services on this gateway group
],
"actions": [
"<.*>"
],
"effect": "allow"
}
]
}

Full Access to Specific Gateway Groups except Consumer Credentials

{
"statement": [ // Multiple statements within a policy function with an OR relationship.
{
"resources": [
"arn:api7:gateway:gatewaygroup/{gateway group id 1}",
"arn:api7:gateway:gatewaygroup/{gateway group id 2}" // Use gateway group id to identify
],
"actions": [
"<.*>"
],
"effect": "allow"
},
{
"resources": [
"arn:api7:gateway:gatewaygroup/{gateway group id 1}/publishedservice/<.*>",
"arn:api7:gateway:gatewaygroup/{gateway group id 2}/publishedservice/<.*>" // Full access to all published services on this gateway group
],
"actions": [
"<.*>"
],
"effect": "allow"
},
{
"resources": [
"arn:api7:gateway:gatewaygroup/<.*>/consumer/<.*>" // Use consumer name to identify
],
"actions": [
"gateway:GetConsumerCredential",
"gateway:UpdateConsumerCredential",
"gateway:DeleteConsumerCredential"
]
"effect": "deny"
}
]
}

Service Manager

  1. Modify specific services directly on all gateway groups;
  2. Modify the template of specific services in service hub, then publish to all gateway groups;
  3. Sync specific services from one gateway group to another.
{
"statement": [
{
"resources": [
"arn:api7:gateway:servicetemplate/{service template id}"
],
"actions": [
"<.*>"
],
"effect": "allow"
},
{
"resources": [
"arn:api7:gateway:gatewaygroup/<.*>/publishedservice/{service template id}" // use service template id instead of service id
],
"actions": [
"<.*>"
],
"effect": "allow"
},
{
"resources": [
"arn:api7:gateway:gatewaygroup/<.*>"
],
"actions": [
"gateway:GetGatewayGroup", // For managing published services on Dashboard
"gateway:GetGlobalPluginRule", // See the global rules before applying plugins to your published service to prevent conflicts.
"gateway:GetPluginMetadata" // See plugin metadata before applying plugins to your published service to prevent conflicts.
],
"effect": "allow"
}
]
}

Or you can use labels, if you have multiple services to manage and their share the same label:

{
"statement": [ // Multiple statements within a policy function with an OR relationship.
{
"resources": [
"arn:api7:gateway:servicetemplate/<.*>"
],
"actions": [
"<.*>"
],
"conditions": {
"service_label": {
"type": "MatchLabel",
"options": {
"key": "team",
"operator": "exact_match",
"value": "enterprise"
}
}
},
"effect": "allow"
},
{
"resources": [
"arn:api7:gateway:gatewaygroup/<.*>/publishedservice/<.*>"
],
"actions": [
"<.*>"
],
"conditions": {
"service_label": {
"type": "MatchLabel",
"options": {
"key": "team",
"operator": "exact_match",
"value": "enterprise"
}
}
},
"effect": "allow"
},
{
"resources": [
"arn:api7:gateway:gatewaygroup/<.*>"
],
"actions": [
"gateway:GetGatewayGroup" // For managing published services on Dashboard
],
"effect": "allow"
}
]
}

Manage Custom Plugins

{
"statement": [
{
"resources": [
"arn:api7:gateway:gatewaysetting/*"
],
"actions": [
"gateway:<.*>CustomPlugin<.*>"
],
"effect": "allow"
}
]
}

Role Manager

  1. Invite/Delete users;
  2. Help users resetting their password;
  3. Design custom roles;
  4. Assign roles to users.
{
"statement": [ // Multiple statements within a policy function with an OR relationship.
{
"resources": [
"arn:api7:iam:user/<.*>"
],
"actions": [
"<.*>"
],
"effect": "allow"
},
{
"resources": [
"arn:api7:iam:role/<.*>"
],
"actions": [
"<.*>"
],
"effect": "allow"
},
{
"resources": [
"arn:api7:iam:permissionpolicy/<.*>"
],
"actions": [
"<.*>"
],
"effect": "allow"
}
]
}

Create and Manage Production Gateway Groups

{
"statement": [
{
"resources": [
"arn:api7:gateway:gatewaygroup/<.*>"
],
"actions": [
"<.*>"
],
"conditions": {
"gateway_group_label": {
"type": "MatchLabel",
"options": {
"key": "type",
"operator": "exact_match",
"value": "production"
}
}
},
"effect": "allow"
},
{
"resources": [
"arn:api7:gateway:gatewaygroup/*"
],
"actions": [
"gateway:CreateGatewayGroup"
],
"effect": "allow"
}
]
}

Full Access to All Resources Except License

{
"statement": [ // Multiple statements within a policy function with an OR relationship.
{
"resources": [
"<.*>"
],
"actions": [
"<.*>"
],
"effect": "allow"
},
{
"resources": [
"arn:api7:iam:organization/*"
],
"actions": [
"iam:UpdateLicense"
],
"effect": "deny" // "deny" takes precedence, ultimately prohibiting access to updateLicense action.
}
]
}

API7.ai Logo

API Management for Modern Architectures with Edge, API Gateway, Kubernetes, and Service Mesh.

Product

API7 Cloud

SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN Ltd. 2019 – 2024. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the

Apache Software Foundation