Allow policy enforcement on the target of an API, not just its parameters

Registered by Henry Nash

Today we support policy enforcement on any items that are passed into an api call, even the individual fields of an object. However, there are times when you want to enforce policy on the object the api is operating on (for example on DELETE).

A classic example would be having a domain admin that has the responsibility for managing users in a given domain. A cloud provider would want to be able to set the policy file so that such a domain admin could ONLY manage users in the appropriate domain. Today this works for create user since we pass the whole object into the call (and domain_id is a field of the user object), but won't work for update/delete - since the whole user object isn't passed into the call. In fact we want to enact the policy on the target of the api call, not on the parameters passed into it.

We should also support the protection of role assignments in the same way, e.g. being able to specify that an api caller can only modify a role assignment where the domain_id of the actor (e.g. user or group) of the role assignment is the same as the scope of the caller. This enables the division of administration between, say, a cloud administrator and a domain administrator.

This may not require a change to the policy engine, but would require us to change how we call it for our protected apis.

Blueprint information

Henry Nash
Henry Nash
Henry Nash
Series goal:
Accepted for havana
Milestone target:
milestone icon 2013.2
Started by
Henry Nash
Completed by
Henry Nash

Related branches



[kspear] +1. If you're looking for use cases: at NeCTAR we want to be able to assign a TenantManager role to a user in a tenant that then allows the user to add/remove users in that particular tenant.

Gerrit topic:,topic:bp/policy-on-api-target,n,z

Addressed by:
    Implement API protection on target entities


Work Items

This blueprint contains Public information 
Everyone can see this information.