Authorization

Understanding PDaaS authorization with AWS IAM-style policies, groups, and permissions.

Overview

PDaaS uses an AWS IAM-inspired authorization system with:

• Policies - Define permissions (Allow/Deny actions on resources)
• Groups - Collections of users/service accounts with shared permissions
• Account Scoping - All permissions are scoped to specific accounts

Core Concepts

Policies

Policies define what can be done:

{
  "Version": "2023-10-01",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["accounts:GetAccount", "accounts:ListAccounts"],
      "Resource": "*"
    }
  ]
}

Groups

Groups define who gets which policies:

Administrators Group
├── Attached Policy: AdminAccess
├── Members:
│   ├── [email protected] (Production Account)
│   └── [email protected] (Production Account)

Permission Evaluation

1. Explicit Deny - If any policy denies, request is denied
2. Explicit Allow - If any policy allows and no denies, request is allowed
3. Default Deny - If no policy allows, request is denied

API References

• Groups API
• Policies API

Related Topics

• Policy Examples
• Permissions Catalog