API de Politicas
Las politicas definen que acciones los usuarios pueden o no realizar sobre los recursos. Console usa un sistema de politicas estilo IAM con strings de accion service:action.
Objeto Politica
| Campo | Tipo | Descripcion |
|---|---|---|
_id | string | Identificador unico |
arn | string | ARN de la politica (arn:s42:iam::{company_id}:policy/{type}/{name}) |
name | string | Nombre de la politica |
description | string | Descripcion legible |
type | string | system, managed o inline |
document | object | Documento de politica con statements |
is_deprecated | boolean | Si la politica esta deprecada |
created_at | string | Timestamp ISO 8601 de creacion |
updated_at | string | Timestamp ISO 8601 de ultima actualizacion |
Documento de Politica
{
"version": "2025-01-01",
"statements": [
{
"sid": "AllowReadUsers",
"effect": "Allow",
"actions": ["users:list", "users:get"],
"resources": ["*"]
}
]
}
Campos del Statement
| Campo | Tipo | Obligatorio | Descripcion |
|---|---|---|---|
sid | string | No | Identificador del statement |
effect | string | Si | Allow o Deny |
actions | string[] | Si | Patrones de accion (ej.: users:list, users:*, *) |
resources | string[] | Si | Patrones de ARN de recurso o * |
Listar Politicas
Devuelve todas las politicas visibles para el usuario actual (politicas managed + politicas custom de la company).
GET
/v1/policiesPermiso requerido: policies:list
Ejemplo de Request:
curl https://api.console.solucao42.com.br/v1/policies \
-H "Authorization: Bearer YOUR_TOKEN"
Respuesta: 200 OK
{
"total": 3,
"quantity": 3,
"records": [
{
"_id": "507f1f77bcf86cd799439011",
"arn": "arn:s42:iam::policy/managed/ReadOnly",
"name": "ReadOnly",
"description": "Acceso solo lectura a todos los recursos",
"type": "managed",
"document": {
"version": "2025-01-01",
"statements": [
{
"sid": "ReadAll",
"effect": "Allow",
"actions": ["users:list", "users:get", "connections:list"],
"resources": ["*"]
}
]
},
"is_deprecated": false,
"created_at": "2025-01-01T00:00:00.000Z",
"updated_at": "2025-01-01T00:00:00.000Z"
}
]
}
Obtener Politica
Devuelve una politica por ID.
GET
/v1/policies/:idPermiso requerido: policies:get
Listar Acciones Disponibles
Devuelve todas las strings service:action disponibles para usar en documentos de politica.
GET
/v1/policies/actionsAutenticacion: Requerida (sin permiso especifico)
Ejemplo de Respuesta:
{
"services": {
"users": ["users:list", "users:get", "users:invite", "users:update", ...],
"connections": ["connections:list", "connections:get", "connections:create", ...],
"visualizations": ["visualizations:list", "visualizations:get", "visualizations:execute", ...]
},
"all": ["users:list", "users:get", ..., "data_api:execute", "data_api:get_job"]
}
Crear Politica
Crea una nueva politica custom para la company.
POST
/v1/policiesPermiso requerido: policies:create
Request Body:
| Campo | Tipo | Obligatorio | Descripcion |
|---|---|---|---|
name | string | Si | Nombre de la politica (unico dentro de la company) |
description | string | No | Descripcion legible |
document | object | Si | Documento de politica con statements |
Ejemplo de Request:
curl -X POST https://api.console.solucao42.com.br/v1/policies \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Dashboard Viewer",
"description": "Puede ver y ejecutar dashboards",
"document": {
"version": "2025-01-01",
"statements": [
{
"sid": "ViewDashboards",
"effect": "Allow",
"actions": [
"dashboards:list",
"dashboards:get",
"visualizations:list",
"visualizations:get",
"visualizations:execute",
"analysis-folders:list",
"analysis-folders:get"
],
"resources": ["*"]
}
]
}
}'
Respuesta: 201 Created
Actualizar Politica
Actualiza una politica custom existente.
PUT
/v1/policies/:idPermiso requerido: policies:update
precaución
Las politicas system y managed (type: system o type: managed) no pueden modificarse via API.
Eliminar Politica
Elimina una politica custom.
DELETE
/v1/policies/:idPermiso requerido: policies:delete
Respuesta: 204 No Content
Clonar Politica
Crea una copia de una politica existente (incluyendo politicas managed) como nueva politica custom.
POST
/v1/policies/:id/clonePermiso requerido: policies:create
Politicas Managed Predefinidas
Estas politicas estan disponibles en cada company y pueden asignarse a grupos pero no modificarse.
| Politica | Acciones Clave |
|---|---|
FullAdmin | * |
ReadOnly | *:list, *:get, acciones de solo lectura en todos los servicios |
UserManager | users:list/get/invite/update/activate/deactivate/assign_groups/remove_groups |
GroupManager | groups:*, policies:list/get |
ApiKeyManager | users:list_integration_users/create_integration_user/delete_integration_user, api_keys:* |
ConnectionManager | connections:*, vpn_profiles:*, managed-tables:*, metadata:read |
VisualizationViewer | dashboards:list/get/schedule, visualizations:list/get/execute/schedule, data_api:execute/get_job |
VisualizationManager | visualizations:*, dashboards:share/schedule, analysis-folders:*, data_api:execute/get_job |
AnalyticsAuthor | visualizations:*, dashboards:*, analysis-folders:*, share_tags:*, viz_api_endpoints:*, data_api:execute/get_job |
KnowledgeManager | concepts:*, semantic:*, ontology:*, knowledge_reviews:*, metadata:read |
DataEngineer | connections:*, vpn_profiles:*, managed-tables:*, metadata:read |
PolicyManager | policies:* |
CompanyAdmin | company:* |
DataAPIConsumer | data_api:execute/get_job |
Ejemplos de Codigo
- JavaScript
- cURL
const API_URL = 'https://api.console.solucao42.com.br';
// Listar todas las politicas disponibles
async function listPolicies(token) {
const response = await fetch(`${API_URL}/v1/policies`, {
headers: { 'Authorization': `Bearer ${token}` },
});
return response.json();
}
// Crear una politica custom
async function createPolicy(token, policy) {
const response = await fetch(`${API_URL}/v1/policies`, {
method: 'POST',
headers: {
'Authorization': `Bearer ${token}`,
'Content-Type': 'application/json',
},
body: JSON.stringify(policy),
});
return response.json();
}
// Uso
const dashboardViewerPolicy = await createPolicy(token, {
name: 'Dashboard Viewer',
description: 'Solo ver y ejecutar dashboards',
document: {
version: '2025-01-01',
statements: [
{
sid: 'ViewDashboards',
effect: 'Allow',
actions: [
'dashboards:list',
'dashboards:get',
'visualizations:list',
'visualizations:get',
'visualizations:execute',
],
resources: ['*'],
},
],
},
});
console.log(`Politica creada: ${dashboardViewerPolicy._id}`);
TOKEN="your-jwt-token"
# Listar politicas
curl -s "https://api.console.solucao42.com.br/v1/policies" \
-H "Authorization: Bearer $TOKEN" | jq
# Listar acciones disponibles
curl -s "https://api.console.solucao42.com.br/v1/policies/actions" \
-H "Authorization: Bearer $TOKEN" | jq '.all'
# Crear politica
curl -s -X POST "https://api.console.solucao42.com.br/v1/policies" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Dashboard Viewer",
"description": "Solo ver y ejecutar dashboards",
"document": {
"version": "2025-01-01",
"statements": [
{
"sid": "ViewDashboards",
"effect": "Allow",
"actions": [
"dashboards:list",
"dashboards:get",
"visualizations:list",
"visualizations:get",
"visualizations:execute"
],
"resources": ["*"]
}
]
}
}' | jq
# Eliminar politica
curl -s -X DELETE "https://api.console.solucao42.com.br/v1/policies/POLICY_ID" \
-H "Authorization: Bearer $TOKEN"
Buenas Practicas
- Empezar desde politicas managed — clona una managed y ajusta en lugar de construir desde cero
- Usar
Denycon moderacion —Denysobreescribe cualquierAllow; usalo solo para excepciones explicitas - Privilegio minimo — concede solo las acciones que el usuario realmente necesita
- Nombres descriptivos —
Analytics Team Vieweres mejor quePolicy 1 - Probar antes de asignar — verifica que la politica hace lo esperado usando el endpoint
/v1/auth/permissions