I have reviewed the In-Depth documentation for access control and have a question about actionGroup. I have also looked at Authorizor type to see if any APIs exist to get more information and don’t think it will help.
The term actionGroup is mentioned in various places. The only formal definition I could find for this term is from the access control tutorial (From static/console: Help > Documentation > Tutorials > Topic Access Control Tutorial) which reads:
Note that actionGroups are defined through annotations on functions in c3type files, eg. @action(group='monitor')
So it seems that actionGroups can be defined arbitrarily.
Here are my questions:
is there a way to programmatically get all known values for actionGroup that exist within a tenant/tag?
How do I get all functions/capabilities associated with an actionGroup. For example, I’ve seen the actionGroup “read”, “write”, and “delete”. These are somewhat intuitive, but I’d like to get a definitive list of what “read” actionGroup entails, for example.
I’m currently assuming “fetch()” and “evaluate()” to be members of the “read” actionGroup. I don’t know if this is correct or a complete list.
- Two action groups of interest for me are: user-admin and cluster-admin. These seem much broader than “read” or “write” - and I’d like to get more information on what functions from each type are part of these action groups.