Access Rules
Access Rules are the building blocks for constructing fine-grained access control policies for an Application. When performing an operation through the Basis Theory API, Access Rules are evaluated in priority order until the first rule is found with matching container or conditions. Once a matching rule is identified, the transform defined on the rule determines if and how Token data will be returned from the API. If no matching rules are found, access to the requested resource is denied with a 403 Forbidden error.
Access Rules Logic
Access Rules will be applied with an implicit OR
operator. This means that if any of the rules match, the operation will be allowed. If no rules match, the operation will be denied.
Access Rule Conditions will be applied with an implicit AND
operator. This means that all conditions must be met for the rule to match.
Access Rule
Attribute | Type | Description |
---|---|---|
description | string | A description of this Access Rule |
priority | int | The priority of the rule, beginning with 1 and higher values having lower precedence |
container | string | (Optional) The container of Tokens this rule is scoped to |
conditions | array | (Optional) List of conditions to be satisfied for the rule to be used. Only apply to sessions |
transform | string | The transform to apply to accessed Tokens |
permissions | array | List of permissions to grant on this Access Rule |
See Access Rules for more information.
container
is only required for public
and private
applications, whilst conditions
is only required for sessions
. They are mutually exclusive.Access Rule Transforms
Name | Type | Description |
---|---|---|
Redact | redact | Redacts the data property from Token responses |
Mask | mask | Returns the masked value in the data property on Token responses if a mask is defined, otherwise data is redacted |
Reveal | reveal | Returns the plaintext value in the data property in Token responses |
Access Rule Conditions
Attribute | Type | Description |
---|---|---|
attribute | string | The token attribute the condition is evaluated on. Either id or container |
operator | string | The operator used for the evaluation. Either starts_with or equals |
value | string | The value to evaluate against the token attribute |