Is there a way I can dynamically on runtime allow or disallow action execution to a User? Should I create a role for every Action and then assign roles to the user?
⚠️ We've moved!
Hi there!
To reduce project dependency on 3rd party paid services the StackStorm TSC has decided to move the Q/A from this forum to Github Discussions. This will make user experience better integrated with the native Github flow, as well as the questions closer to the community where they can provide answers.
Use 🔗 Github Discussions to ask your questions.
Where would that information to decide if a user is allowed to execute an action live? Presumably you would have to do some sort of lookup against some database or system, to decide if that user was a valid user for executing that action?
It feels like there might be a wider idea in mind here. What’s the high-level problem you’re trying to solve?
This might can be done with JWT which is stateless. I am not sure.
The case is that I would like to have a central ST2 installation for many users and be able to control their access to the actions dynamically at runtime.
You have to do a lookup somewhere to determine what access they are allowed. What is your planned source of truth here? What are you going to do a lookup against?
A more normal design pattern would be to use RBAC combined with LDAP groups. User’s LDAP groups map to their roles, which then map to allowed permissions.
But can I have dynamically change role permissions at runtime? The lookup can be done in the
scope
claim of JWT. Is there a way to access headers in action python-runner?
In your question about the source of truth, I was thinking the MongoDB or some kind of config in StackSotrm so the admin can enable disable the action like sensors. In the JWT situation, the authorization will be done by an external service.
or some kind of config in StackSotrm so the admin can enable disable the action
So…pretty much what RBAC is designed to do then?
Yes, what RBAC do but I would like to do it dynamically at runtime with an API call. Not with a static file or with predefined roles.
An API call to what?
If you wanted, you could add another step to your workflow that calls some external service, but I’m still a bit lost as to what this is actually giving you. What’s the benefit here?
Or are you just trying to implement RBAC for free?
Haven’t noticed that RBAC is only Enterprise edition. I guess I will do the access control with an external service.