Scopes

Tiled uses OAuth2 scopes to restrict the actions that users, services, and API keys can perform. See the guide Create and Use API Keys for instructions on generating API keys with restricted scopes.

List of Scopes

  • read:metadata — List and search metadata.

  • read:data — Fetch (array, table) data.

  • create — Create a new node.

  • write:metadata — Write metadata.

  • write:data — Write (array, table) data.

  • apikeys — Manage API keys for the currently-authenticated user or service.

  • metrics — Access Prometheus metrics.

  • admin:apikeys — Manage API keys on behalf of any user or service.

  • read:principals — Read list of all users and services and their attributes.

Finally, there is the meta-scope inherit, the default for API keys. It inherits the scopes of the Principal associated with this key, resolved at access time.

Roles

An authenticated entity (“Principal”) may be assigned roles that confer a list of scopes.

  • user — default role, granted scopes ["read:metadata", "read:data", "write:metadata", "write:data", "create", "apikeys"]

  • admin — granted all scopes

There is support for custom roles at the database level, but neither role creation/customization nor role assignment are yet exposed through the API. (This will come in a future release.)

For now, admin role can only be assigned by setting tiled_admins in the service configuration, as in this example.

example_configs/toy_authentication.py
authentication:
  providers:
  - provider: toy
    authenticator: tiled.authenticators:DictionaryAuthenticator
    args:
      users_to_passwords:
        alice: ${ALICE_PASSWORD}
        bob: ${BOB_PASSWORD}
        cara: ${CARA_PASSWORD}
      confirmation_message: "You have logged in as {id}."
  tiled_admins:
    - provider: toy
      id: alice
access_control:
  access_policy: tiled.access_policies:SimpleAccessPolicy
  args:
    provider: toy  # matches provider above
    access_lists:
      alice:
      - A
      - B
      bob:
      - A
      - C
      cara: tiled.access_policies:SimpleAccessPolicy.ALL
    scopes:
    - "read:metadata"
    - "read:data"
    public:
    - D
trees:
  - path: /
    tree: tiled.examples.toy_authentication:tree