User authorization
After Quorum Key Manager (QKM) authenticates an incoming request, it submits the request to the targeted service which performs authorization checks based on request context before performing service operations.
The authorization process restricts system access through role-based access control or resource-based access control.
Role-based access control
Role-based access control (RBAC) restricts actions over resources to authorized users. Access is specified by roles assigned to users, using a manifest file or an identity provider.
See the full list of RBAC permissions.
Resource-based access control
Resource-based access control restricts access to resources to authorized users. Access is specified by allowed tenants for each resource, using a manifest file.
Terminology
Action
An action is a functionality of your application to be restricted to authorized users. For example, read, create, sign, encrypt, delete, and destroy.
Resource
A resource represents a business entity to be managed by your application. Authorization restricts access over resources. QKM currently has the following resources:
| Name | Description |
|---|---|
| Secret | A key-value element stored in a secure vault system. |
| Key | A cryptographic key. |
| Ethereum account | A cryptographic key allowing interaction with the Ethereum network. |
| Vault | Vault client connector used to persist resources remotely. |
| Store | A storage space for a set of secrets, keys, or Ethereum accounts. |
| Node | A representation of an underlying blockchain node. |
| Alias | A representation of an external public key. For example, a Tessera address. |
| Registry | A storage space for clarifying a set of aliases |
Tenant
A tenant is a set of users with the highest access level to resources. In resource-based access control, you must pass a list of allowed tenants when defining a resource manifest file.
Permission
A permission is an authorization of an action over a resource, used in role-based access control (RBAC). Permissions take the form action:resource and are not mutually exclusive.
Role
A role is a named set of permissions defined in a manifest file. Alternatively, you can use Auth0 to specify roles and attach permissions to your token.