// GRANULAR ACLS

Fine-Grained Access Control

Group-based permissions with JWT authentication. Control who can execute what, on which resources, on which nodes.

Real-World Use Case: Enterprise with Multiple Teams

DevOps, Security, and Platform teams need different permissions. A single shared cluster with fine-grained access control.

1. Group-Based Permissions

ACL Configuration
# Create DevOps group
$ curl -X POST /api/v1.0/groups \
  -d '{
  "name": "devops",
  "permissions": {
    "orchestrations": ["can_read", "can_create", "can_execute"],
    "vault": ["can_read:app-*"],
    "servers": ["can_read", "can_register"],
    "files": ["can_upload"]
  }
}'

# Security team - limited access
$ curl -X POST /api/v1.0/groups \
  -d '{
  "name": "security",
  "permissions": {
    "vault": ["can_read"],
    "logs": ["can_query"],
    "users": ["can_read"]
  }
}'

Namespace-Based Control

  • Wildcards: vault:prod-*
  • Fine-grained: can_execute_on:prod-servers
  • Hierarchical: Inherit from parent groups
  • Temporal: Time-limited permissions

2. JWT Token Lifecycle

Secure Token Management

Short-lived access tokens minimize damage if leaked:

  • Access tokens: 15 minutes
  • Refresh tokens: 30 days
  • Automatic refresh when expired
  • Revocation support
Token Flow
# Login to get tokens
$ curl -X POST /api/v1.0/auth/login \
  -d '{
  "username": "alice",
  "password": "secret"
}'

{
  "access_token": "eyJ...valid for 15 min",
  "refresh_token": "eyJ...valid for 30 days"
}

# Token automatically validated on every request
$ curl /api/v1.0/orchestrations \
  -H "Authorization: Bearer $ACCESS_TOKEN"

Additional Capabilities

🔄 Role-Based Access Control

Pre-defined roles (Admin, Developer, Viewer) with ability to create custom roles with specific permission sets.

Role Definition
"role": "app-deployer",
"permissions": [
  "orchestrations:execute:prod-*",
  "vault:read:app-secrets"
]

⏰ Time-Based Permissions

Grant access for specific time windows. Perfect for maintenance windows or contractor access.

Temporal Access
"permissions": [{
  "action": "execute",
  "from": "2025-03-12T10:00Z",
  "to": "2025-03-12T12:00Z"
}]

📍 Resource-Level ACLs

Control access at the resource level: specific orchestrations, vaults, or servers.

Resource Permissions
"resources": {
  "orch-deploy": ["read", "execute"],
  "vault-prod": ["read"]
}

🔐 Multi-Factor Authentication

Optional MFA support via TOTP for sensitive operations and user management.

MFA Config
"mfa": {
  "required_for": [
    "vault:write",
    "user:create"
  ],
  "algorithm": "TOTP"
}
🔑

Least Privilege

Users get minimum permissions needed for their job.

📊

Audit Ready

All access logged for compliance and forensics.

Short-Lived Tokens

15-minute access tokens limit exposure window.

🔒

No Passwords Stored

JWT tokens, SHA-256 hashed passwords only.

Configure Access ControlBack to Features