In this document:
APS package developer can define access rights for the following roles:
Resource Administrator role always has full access to the APS Resource. For the others, the access is defined in the APS package as presented in the following diagram:
In a hosting system, these rules usually work recursively: that is the administrator of administrator also has full access to the resources below in the hierarchy:
Access rights are defined on different levels of resource Type declaration as specified in the Access Attributes section:
An example of the services hierarchy of the Zimbra application and required access rights associated with them is shown in the diagram below where sp represents the service provider:
Security context in APS is a zone of resources visibility for an account or end user. It means, each of accounts (provider, reseller, or customer) and end users will have own context. The context of an account or user contains all resources that the account or user owns. Once the APS controller authenticates a user, it allows the user to work with resources in their context. In the following example, a user is authenticated as a customer’s staff and thus has access to the customer’s context as a staff member.
An application has full access to all resources provisioned from it. In the following example, the application App1 gets full access to all resources provisioned from the application.
In some cases, an application may need to manage resources from another application. For example, to provision a resource for a customer or user, an application needs to reserve storage or modify a mailbox provided by another application in the same customer’s (user’s) context. APS controller enables an application for such operations by means of the impersonation mechanism.
Impersonation allows an application instance to get full control over an account’s or user’s context.
For this purpose, in its REST CRUD request, the application must send the HTTP header
APS-Resource-ID
carrying the APS ID of an APS resource provisioned through this application instance and visible
in the customer’s (user’s) context.
In the following example, the application instance App2 impersonates a customer through Resource-N provisioned through
that application instance in the customer’s context.
Due to the impersonation, the APS controller will process any REST operation requested by the application instance in the customer’s context.
The APS PHP framework provides a method for APS applications to impersonate a customer by a resource ID as explained in the Impersonation through Resource ID section.
An APS package must contain the security.json
file in the package root where the application requires one
of the following levels of impersonation:
provider
level means unlimited impersonation and it is the default for those applications that are not aware
of this mechanism and thus do not contain the security.json
file in their APS packages. This level allows
the application to impersonate any account.reseller
level allows the application to impersonate any reseller and any customer.customer
level allows the application to impersonate any customer.For example, to require the customer
level, the file content can be as follows:
{
"impersonation": {
"customer": {
"reason": "Needs to find out a list of domains to bind a VPS to."
},
"reseller": null,
"provider": null
}
}
The file structure contains one JSON parent node, called impersonation
, and up to three security context nodes,
called customer
, reseller
, and provider
.
Note
An application can require only one of the above levels. For that level, the file must provide a reason
for the request. Requests for the other levels must be either omitted, or empty, or null
.
There are the following edge cases regarding the security.json
file:
provider
(unlimited) level.none
level, that is the application is not going to impersonate any account:impersonation
node or its value is null
or empty.null
, empty, or do not exist.When the provider starts installation of an APS application instance from a package that contains the security.json
file, the control panel will show the required impersonation level and the reason for it as in the following example:
To install an APS application instance, the provider must accept the required impersonation level.
In case an application violates the allowed impersonation level, the APS controller returns the 403
code with one of
the following error messages:
none
allowed, but the application tries impersonate an account:
Impersonating any account type is prohibited for this application.
customer
allowed, but the application tries impersonate the provider or a reseller:
Impersonating <a reseller / the provider> is prohibited for this application.
The application is allowed to impersonate only a customer.
reseller
allowed, but the application tries impersonate the provider:
Impersonating the provider is prohibited for this application.
The application is allowed to impersonate only a customer or reseller.