Policies
Policies determine who is allowed to perform specific actions. You can define your policy on two levels: for a Context or for a Container (Thread, Store etc).
This section covers policies in the Containers' scope.
Overview
Setting a policy in the Container overwrites the policy from the Context. Some of the Containers (Threads, Stores) can include items (messages, files), which have their own policy. Properties of a policy can be set to one of the following values:
- "default" - takes the default value
- "inherit" - takes value from the Context (can be used only in the Container policy)
- "none" - no one can perform this action
- "all" - all Context users can perform this action
- "user" - all Container users can perform this action
- "manager" - all Container managers can perform this action
- "owner" - only Container owner can perform this action
- "itemOwner" - only item owner can perform this action (can be used only in the item policy)
You can also combine the values listed above. If you want to allow item updates to be executed only by the item owner,
with the additional assumption that they must be an active user of the Container, you can write itemOwner&user.
But if you also want to allow the Container managers to update the item, you can write itemOwner&user,manager.
In a policy entry, the & character means 'and', and the coma , means 'or'.
Default policy values
The Endpoint can only define policies on the level of Containers and items. Context level policies include rules connected to, for example, creating Containers – so they have to be defined using Bridge server API. The list of default policies for a Context level can be found in PrivMX Bridge API.
Policies manageable by Endpoint on Container level
Policies for Containers with items
The following table defines access and management rules for Containers with items.
| ContainerPolicy | type | Enum | Description |
|---|---|---|---|
| item | ItemPolicy | (optional) Container's items policy | |
| get | string | (optional) Determines who can get a Container | |
| update | string | (optional) Determines who can update a Container | |
| delete | string | (optional) Determines who can update a Container | |
| updatePolicy | string | (optional) Determines who can update policy | |
| updaterCanBeRemovedFromManagers | string | inherit yes no default | (optional) Determines whether the updater can be removed from the list of managers |
| ownerCanBeRemovedFromManagers | string | inherit yes no default | (optional) Determines whether the owner can be removed from the list of managers |
Policies for Containers without items
The following table defines access and management rules for Containers without items.
| ContainerPolicyWithoutItem | type | Enum | Description |
|---|---|---|---|
| get | string | (optional) Determines who can get a Container | |
| update | string | (optional) Determines who can update a Container | |
| delete | string | (optional) Determines who can update a Container | |
| updatePolicy | string | (optional) Determines who can update policy | |
| updaterCanBeRemovedFromManagers | string | inherit yes no default | (optional) Determines whether the updater can be removed from the list of managers |
| ownerCanBeRemovedFromManagers | string | inherit yes no default | (optional) Determines whether the owner can be removed from the list of managers |
Policies for items
| ItemPolicy | type | Enum | Description |
|---|---|---|---|
| get | string | (optional) Determines who can get an item | |
| listMy | string | (optional) Determines who can list elements created by themselves | |
| listAll | string | (optional) Determines who can list all items (this policy sets the behavior of methods such as listMessages, listFiles, listEntries) | |
| create | string | (optional) Determines who can create an item | |
| update | string | (optional) Determines who can update an item | |
| delete | string | (optional) Determines who can update an item |