Granular ACLs - Dimensigon

Real-World Use Case: Enterprise with Multiple Teams

DevOps, Security, and Platform teams need different permissions. A single shared cluster with fine-grained access control.

1. Group-Based Permissions

ACL Configuration

# Create DevOps group
$ curl -X POST /api/v1.0/groups \
  -d '{
  "name": "devops",
  "permissions": {
    "orchestrations": ["can_read", "can_create", "can_execute"],
    "vault": ["can_read:app-*"],
    "servers": ["can_read", "can_register"],
    "files": ["can_upload"]
  }
}'

# Security team - limited access
$ curl -X POST /api/v1.0/groups \
  -d '{
  "name": "security",
  "permissions": {
    "vault": ["can_read"],
    "logs": ["can_query"],
    "users": ["can_read"]
  }
}'

Namespace-Based Control

Wildcards: vault:prod-*
Fine-grained: can_execute_on:prod-servers
Hierarchical: Inherit from parent groups
Temporal: Time-limited permissions

2. JWT Token Lifecycle

Secure Token Management

Short-lived access tokens minimize damage if leaked:

Access tokens: 15 minutes
Refresh tokens: 30 days
Automatic refresh when expired
Revocation support

Token Flow

# Login to get tokens
$ curl -X POST /api/v1.0/auth/login \
  -d '{
  "username": "alice",
  "password": "secret"
}'

{
  "access_token": "eyJ...valid for 15 min",
  "refresh_token": "eyJ...valid for 30 days"
}

# Token automatically validated on every request
$ curl /api/v1.0/orchestrations \
  -H "Authorization: Bearer $ACCESS_TOKEN"

🔑

Least Privilege

Users get minimum permissions needed for their job.

📊

Audit Ready

All access logged for compliance and forensics.

⏰

Short-Lived Tokens

15-minute access tokens limit exposure window.

🔒

No Passwords Stored

JWT tokens, SHA-256 hashed passwords only.

Configure Access Control Back to Features

Fine-Grained Access Control