Permission Tutorial

There is a user, Bob, who just joined Authentise. So Authentise created a user for Bob and he was given the URI https://users.authentise.com/users/00000000-0000-0000-0000-00000-BOB/ upon this creation. You can refer user Permissions Tutorial to know how user Bob was created.

Authentise follows MES, which enforces permissions on resources. Now Bob is given a task to create some new materials, printers and update few existing Manufacturer and other resources. So Bob is first redirected to a Tutorial to understand how to create few resources managed by the MES system.

Bob goes through the tutorial and learns how to create new resources. Now he is all set. To edit the manufacturer https://erp.authentise.com/manufacturer/00000000-0000-0000-0000-000manufacturer/ address, he goes about doing it:

PUT https://erp.authentise.com/manufacturer/00000000-0000-0000-0000-000manufacturer/
Content-Type: application/json

{
    'address'   : 221 B Baker St.,
}
errors: [{
    'code'  : 'Unauthorized',
    'title' : "You do not have the 'manufacturer.all' permission which
              is required for this operation"
}]

He gets thrown aback with the encounter of the first error, and goes to talk to his Senior engineer, Will who is an expert with permissions. Will explains Bob that MES enforces few permission checks on resources. An user needs certain rights in order to create, update or delete a resource. Whereas he can easily view the resources in a bureau if he belongs there. To know how Bob was added to the group you can refer Membership Tutorial. Since Bob belongs to the authentise bureau, he is able to do a GET/LIST on any resources. But he doesn’t have other rights as of now. Will also assures Bob that they will work together and give him few rights so that he can create/edit/delete certain resources.

Lets see what are the rights Will holds which help him to give rights to others.

GET https://users.authentise.com/permission/?
    filter[namespace]=erp
    &filter[holder]=https://users.authentise.com/users/00000000-0000-0000-0000-0000000-WILL/

{
    "resources" : [{
        "holder"    : "https://users.authentise.com/users/00000000-0000-0000-0000-0000000-WILL/",
        "namespace" : "erp",
        "object"    : "https://erp.authentise.com/bureau/00000000-0000-0000-0000-000000bureau/",
        "right"     : "bureau.permission.all",
        "uri"       : "https://users.authentise.com/permissions/5190dc45-eece-4ecf-af8e-f45dcd57e694/"
     }, {
        "holder"    : "https://users.authentise.com/groups/d3c0c9c5-8198-4ba4-86bf-4071e82a86b8/",
        "namespace" : "erp",
        "object"    : "https://erp.authentise.com/location/00000000-0000-0000-0000-000000location/",
        "right"     : "location.permission.all",
        "uri"       : "https://users.authentise.com/permissions/5190dc45-eece-4ecf-af8e-847364738473/"
     }]
}

So looks like Will has bureau.permission.all rights on the authentise bureau and location.permission.all rights on the Sandy, UT location he works at. So there are the permissions a user needs in order to give others individual permissions on resources. Now lets see how Will gives Bob rights.

Will uses two specific endpoints in order to give rights to Bob.

Permission on Bureau

There are few resources which get directly affected by the rights a user has on the bureau. The list of resources which fall under this category are:

Rights on Bureau
Resource Right
currency_conversion ‘currency_conversion.all’
location ‘location.all’
manufacturer ‘manufacturer.all’
material ‘material.all’
post_processor_type ‘post_processor_type.all’
printer_type ‘printer_type.all’
service_provider ‘service_provider.all’
shipping ‘shipping.all’
third_party ‘third_party.all’

Will gives Bob his first right on bureau by giving him manufacturer.all rights.

POST https://erp.authentise.com/permission-bureau/
Content-Type: application/json

{
    "bureau"    : https://erp.authentise.com/bureau/00000000-0000-0000-0000-000000bureau/
    "right"     : "manufacturer.all",
    "user"      : https://users.authentise.com/users/00000000-0000-0000-0000-00000-BOB/
}
LOCATION: https://erp.authentise.com/permission-bureau/MANUFACTURER-ALL-0000-0000-BOB/

Now Bob has manufacturer.all rights on the bureau he belongs to. He can create, edit, delete any manufacturer in the bureau. Bob now tries to edit the manufacturer and gets this in return.

PUT https://erp.authentise.com/manufacturer/00000000-0000-0000-0000-000manufacturer/
Content-Type: application/json

{
    'address'   : 221 B Baker St.,
}
STATUS CODE: 204

GET https://erp.authentise.com/manufacturer/00000000-0000-0000-0000-000manufacturer/
Content-Type: application/json
{
    'name'      : 'West-1',
    'address'   : '221 B Baker St.',
    'notes'     : 'West-1 respresents a printer created.',
    'contact'   : {
        'name'  : 'John Smith',
        'phone' : '123-123-1234',
    },
    'support'   : {
        'name'  : 'Fred Smith',
        'phone' : '123-123-1234',
    },
    'uri'       : https://erp.authentise.com/manufacturer/00000000-0000-0000-0000-000manufacturer/
}

He is successfull in editing the manufacturer. Awesome. Will similarly gives other rights in the resources in the list above, so that Bob can create, edit and delete the resources in that list.

Permission on Location

There are few resources which get directly affected by the rights a user has on the location. The list of resources which fall under this category are:

Rights on Location
Resource Right
post_processor ‘post_processor.all’
printer ‘printer.all’
stock ‘stock.all’

Will gives Bob the above rights too. One of the requests that he makes to give the rights for printer resource is as follows:

POST https://erp.authentise.com/permission-location/
Content-Type: application/json

{
    "location"  : https://erp.authentise.com/bureau/00000000-0000-0000-0000-000000location/
    "right"     : "printer.all",
    "user"      : https://users.authentise.com/users/00000000-0000-0000-0000-00000-BOB/
}
LOCATION: https://erp.authentise.com/permission-bureau/PRINTER_ALL-0000-0000-0000-0000-BOB/

With the above permissions Bob will be able to manipulate printer resources.

Now, since Will has some special rights, he will also be able to revoke the rights he just gave to Bob. So do so he simply performs a DELETE request as follows:

DELETE https://erp.authentise.com/permission-bureau/PRINTER_ALL-0000-0000-0000-0000-BOB/

STATUS CODE: 204

Now if Bob tried to maipulate any of the printer resources, he will get the same error that he is unauthorized to perform the task.

This tutorial explains how to add/revoke rights for a user on bureau and location. Please refer to the tutorial for creating resources in MES Tutorial and Reference.