Api authorization based on resource + verb


#1

With tyk, Is it possible to enforce role-based access control on a specific api/resource + verb ie GET vs POST? If so, can you let me know how?

Also, is there a native notion of multi-tenancy eg if I have two uris base_path/tenant1/a/b/c and base_path/tenant2/a/b/c - how do make sure tenant1 user can only access first uri and tenant2 user only the second. Is this only via path regex in security policy?


#2

You can set METHOD and resource based permissions at the policy level (in the policy editor) or at the token level (with the REST API - it takes the same format as the policy doc):

 "access_rights": {
        "35447b1469df4e846894b1e87372f6d7": {
          "allowed_urls": [
            {
              "methods": [
                "GET",
              ],
              "url": "/some_resources"
            },
            {
              "methods": [
                "POST"
              ],
              "url": "/some_resource/(.*)"
            },
          ],
          "apiid": "35447b1269df4e846894b7e87312f6d7",
          "apiname": "My API",
          "versions": [
            "Default"
          ]
        }
      },

#3

There’s ways of doing this with a legacy app called the host manager that can enforce tenancy rules by generating nginx templates, it involves putting nginx in front of Tyk and using slugs instead of listen_paths, we don’t actively distribute the host manager anymore though.