With tyk, Is it possible to enforce role-based access control on a specific api/resource + verb ie GET vs POST? If so, can you let me know how?
Also, is there a native notion of multi-tenancy eg if I have two uris base_path/tenant1/a/b/c and base_path/tenant2/a/b/c - how do make sure tenant1 user can only access first uri and tenant2 user only the second. Is this only via path regex in security policy?
You can set METHOD and resource based permissions at the policy level (in the policy editor) or at the token level (with the REST API - it takes the same format as the policy doc):
"access_rights": {
"35447b1469df4e846894b1e87372f6d7": {
"allowed_urls": [
{
"methods": [
"GET",
],
"url": "/some_resources"
},
{
"methods": [
"POST"
],
"url": "/some_resource/(.*)"
},
],
"apiid": "35447b1269df4e846894b7e87312f6d7",
"apiname": "My API",
"versions": [
"Default"
]
}
},
There’s ways of doing this with a legacy app called the host manager that can enforce tenancy rules by generating nginx templates, it involves putting nginx in front of Tyk and using slugs instead of listen_paths, we don’t actively distribute the host manager anymore though.