Role-Based Access Control Policy
You can use the role-based access control policy (RBAC) to control access to a resource by specifying the required roles to access it. The policy can be configured to allow only incoming requests with at least one role matching the configured roles.
Role-based access can be configured in a policy rule or in the authentication source on a Gateway. To set up roles on a Gateway, see this topic.
note
-
If you have configured Restrictions by Role on the Deployed API screen, a role-based access control policy will be created as part of the standard policies.
-
RBAC policy depends on authorization, and it should always be executed after the standard policy.
Timing
| On Request | On Response |
|---|---|
| X |
Configuration
| Property | Required | Description | Type | Default |
|---|---|---|---|---|
roles | yes | The list of required roles. | Array of strings |
Example
{ "roles": { "requiredRoles": ["read", "write", "admin"] } }
Errors
| Code | Message |
|---|---|
403 | If the policy roles do not match the auth user roles, you will see the following error message:Role(s) <LIST_OF_USER_ROLES> for user <USER_NAME> do not match the required role(s) for this request. If the auth user doesn’t have any roles, you will see the following error message: No Role(s) are associated for user <USER_NAME> to validate the current request. |
