Question
Can the okera token specify multiple groups if the user belongs to more than one group?
In this example, the token is specified for a single group named group1.
Is it possible for the token to contain multiple groups i.e., group1 and group2?
Answer
Yes. At a high level, the way that ODAS uses the groups information is that, for a given query for a given user, ODAS iterates over the list of groups associated with that user and compares each group to the configured roles, looking for an exact match (for the example token, that would be the role 'group1'). As soon as a group is found that maps to a role that has sufficient privileges to execute the requested query, that process ceases. If all the groups for a user are tested with none of them providing sufficient access to execute the query, then the query is rejected with an error message indicating that the user lacked sufficient privilege for the requested operation.
For more information about how Okera uses JWT tokens, refer to the documentation here.
Comments
0 comments
Please sign in to leave a comment.