Permissions overview


FOLIO-1387 - Getting issue details... STATUS

Each module that defines permissions should use a unique prefix, related to the module-name, at the start of the names of permissions that it defines. For example, mod-users defines the "ability to read a collection of user records" permission, so the name of that permission has a users prefix, yielding users.collection.get.

Permissions defined in front-end modules are given names whose prefixes begin with ui-. For example, the high-level "can edit user profiles" permission, defined in ui-users, is named ui-users.edit

source - Naming permissions

PermissionRequest headerDescription
permissionsRequired
X-Okapi-Permissions-Required
These are strictly necessary to call the module
permissionsDesired
X-Okapi-Permissions-Desired

These are not necessary, but if present, the module may do some extra operations (for example, show sensitive data about a patron)

modulePermissions
X-Okapi-Module-Permissions

Permissions granted to a module, which it can make use of, when making further calls to other modules.


X-Okapi-Extra-Permissions

Additional permissions granted by Okapi itself. Used only between Okapi and the authorization module, in some special situations, like when a moduleDescriptor has a "redirect" routing entry and also module-specific permissions.


X-Okapi-Permissions

The permissions a module expressed interest in, and which were granted to this user. Can be used for modifying the way a module behaves.


X-Okapi-Tenant
The name of the tenant

X-Okapi-Token
A JWT token given to a user after authentication

X-Okapi-Url

Tells the URL where the modules may contact Okapi, for making requests to other modules. Can be set on Okapi's command line when starting up.


X-Okapi-Trace

Will be added to the responses from Okapi, to help debugging where the request actually went, and how long did it take.


X-Okapi-User-Id
The user Id of logged-in user.

X-Okapi-Request-Id

Identifies the original request to Okapi. Useful for logging.


X-Okapi-Module-Tokens

JWT tokens specifically made for invoking given modules.Used only between Okapi and the authorization module.


 mod-configuration
Permission
Request
Additional permissions for request
configuration.entries.collection.get
GET /configurations/entries

configuration.entries.item.get
GET /configurations/entries/{id}

configuration.entries.item.post
POST /configurations/entries

configuration.entries.item.put
PUT /configurations/entries/{id}

configuration.entries.item.delete
DELETE /configurations/entries/{id}

configuration.audit.collection.get


configuration.all


 ui-request
Permission
module.requests.enabled
ui-requests.all
 mod-login-saml
Permission
RequestAdditional permissions for request
login-saml.regenerate
/saml/regenerate
modulePermissions
  • configuration.entries.collection.get
  • configuration.entries.item.post
  • configuration.entries.item.put
login-saml.all



/saml/login
modulePermissions
  • configuration.entries.collection.get



/saml/callback
modulePermissions
  • auth.signtoken
  • configuration.entries.collection.get
  • users.collection.get



/saml/check
modulePermissions
  • configuration.entries.collection.get


/saml/configuration
modulePermissions
  • configuration.entries.collection.get
  • configuration.entries.item.post
  • configuration.entries.item.put

/saml/validate

 ui-search
Permission
module.search.enabled
 mod-login
PermissionRequestAdditional permissions for requestBody example
login.item.get
GET /authn/credentials/{id}


login.item.post
POST /authn/credentials

 Click here to expand...
{
 "username" : "<user_name>",
 "id" : "<id>",
 "active" : true,
 "type" : "patron",
 "personal" : {
 "email" : "<user_email>",
 "phone" : "<user_phone>",
 "lastName" : "<user_last_name>",
 "firstName" : "<user_first_ name>"
 },
 "meta": {
 "creation_date": "<date>",
 "last_login_date": ""
 }
}
login.item.put
PUT /authn/credentials/{id}


login.item.delete
DELETE /authn/credentials/{id}


login.collection.get
GET /authn/credentials
modulePermissions
  • users.collection.get

login.all




POST /authn/login
modulePermissions
  • auth.signtoken
  • users.collection.get
 Click here to expand...
{
 "username": "<user_name>",
 "password": "<user_password>",
 "tenant": "diku"
}
 ui-checkout
Permission
module.checkout.enabled
ui-checkout.all
settings.checkout.enabled
 mod-permissions

PermissionRequestAdditional permissions for requesBody example
perms.users.get
GET /perms/users


perms.users.item.post
POST /perms/users

 Click here to expand...
{
 "id":"<id>", 
 "userId": "<user_id>",
 "permissions": [
 "perms.all", 
 "login.all",
 "users.all"
...
 ]
}
perms.users.item.put
PUT /perms/users/{id}

 Click here to expand...
{
 "id":"<id>", 
 "userId": "<user_id>",
 "permissions": [
 "perms.all", 
 "login.all",
 "users.all"
...
 ]
}
perms.users.item.delete
DELETE /perms/users/{id}/permissions/{perm}
DELETE /perms/users/{id}



perms.permissions.get
GET /perms/permissions/{id}
GET /perms/permissions


perms.permissions.item.post
POST /perms/permissions


perms.permissions.item.put
PUT /perms/permissions/{id}


perms.permissions.item.delete
DELETE /perms/permissions/{id}


perms.permissions



perms.users



perms.all



 ui-checkin
Permission
module.checkin.enabled
ui-checkin.all
 mod-users
PermissionRequestAdditional permissions for requesExample
users.collection.get
GET /users

modulePermissions
  • perms.users.get

permissionsDesired

  • users.read.basic
  • users.read.restricted

users.item.get
GET /users/{id}

permissionsDesired

  • users.read.basic
  • users.read.restricted

users.read.basic



users.read.restricted



users.item.post
POST /users

 Click here to expand...
{
 "username" : "<user_name>",
 "id" : "<id>",
 "active" : true,
 "type" : "patron",
 "personal" : {
 "email" : "<user_email>",
 "phone" : "<user_phone>",
 "lastName" : "<user_last_name>",
 "firstName" : "<user_first_ name>"
 },
 "meta": {
 "creation_date": "<date>",
 "last_login_date": ""
 }
}
users.item.put
PUT /users/{id}


users.item.delete
DELETE /users/{id}


usergroups.collection.get
GET /groups


usergroups.item.get
GET /groups/{id}*


usergroups.item.post
POST /groups*


usergroups.item.put
PUT /groups/{id}*


usergroups.item.delete
DELETE /groups/{id}*


addresstypes.collection.get
GET /addresstypes


addresstypes.item.get
GET /addresstypes/{id}


addresstypes.item.post
POST /addresstypes


addresstypes.item.put
PUT /addresstypes/{id}


addresstypes.item.delete
DELETE /addresstypes/{id}


proxiesfor.collection.get
GET /proxiesfor


proxiesfor.item.get
GET /proxiesfor/{id}


proxiesfor.item.post
POST /proxiesfor


proxiesfor.item.put
PUT /proxiesfor/{id}


proxiesfor.item.delete
DELETE /proxiesfor/{id}


users.all



 ui-user
Permission
module.users.enabled
ui-users.view
ui-users.edit
ui-users.create
ui-users.viewperms
ui-users.editperms
ui-users.settings.permsets
ui-users.editpermsets
ui-users.settings.usergroups
settings.usergroups.all
ui-users.settings.addresstypes
settings.addresstypes.all
settings.users.enabled
ui-users.viewproxies
ui-users.editproxies
 mod-users-bl
PermissionRequestAdditional permissions for request
users-bl.collection.get
GET /bl-users
modulePermissions
  • users.collection.get
users-bl.item.get
GET /bl-users/by-id/{id}
permissionsRequired 
  • perms.users.get
modulePermissions
  • users.item.get
  • users.collection.get
  • perms.users.get
  • login.item.get
GET /bl-users/by-username/{id}
permissionsRequired 
  • perms.users.get
modulePermissions
  • users.item.get
  • users.collection.get
  • perms.users.get
  • login.item.get
GET /bl-users/login
modulePermissions
  • users.item.get
  • users.collection.get
  • perms.users.item.get
  • perms.users.get
  • usergroups.item.get
GET /bl-users/_self
modulePermissions
  • users.item.get
  • users.collection.get
  • perms.users.get
  • usergroups.item.get
users-bl.item.post
POST /bl-users
modulePermissions
  • users.item.post
  • perms.users.item.post
  • login.item.post
users-bl.item.put
PUT /bl-users/{id}
modulePermissions
  • users.edit
  • users.item.put
  • perms.users.item.put
  • login.item.put
users-bl.all


 ui-circulation
Permission
ui-circulation.settings.loan-policies
settings.loan-policies.all
ui-circulation.settings.loan-rules
ui-circulation.settings.fixed-due-date-schedules
settings.loan-rules.all
settings.circulation.enabled
 mod-notify
PermissionRequestAdditional permissions for request
notify.collection.get
GET /notify

notify.item.get
GET /notify/{id}

notify.item.post
POST /notify
POST /notify/_username/{uid}

notify.item.put
PUT /notify/{id}

notify.item.delete
DELETE /notify/{id}

notify.all


 ui-inventory
Permission
module.inventory.enabled
ui-inventory.all-permissions.TEMPORARY
ui-inventory.settings.materialtypes
ui-inventory.settings.loantypes
settings.inventory.enabled
ui-inventory.settings.instance-formats
ui-inventory.settings.instance-types
ui-inventory.settings.contributor-types
 mod-authtoken
PermissionRequestAdditional permissions for request

/token
modulePermissions
  • perms.users.get