Access Rules

Authorization is a critical aspect of every block in kis.ai, especially within the Data API block. To ensure robust security and precise access control, kis.ai supports multiple forms of authorization, including Access Control Lists (ACLs), Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Relationship-Based Access Control (ReBAC).

Policies are defined directly in the code using several supported languages, including expr, cel-go, JavaScript, and WASM. This flexibility allows developers to implement custom logic and sophisticated security measures tailored to their specific application requirements. By integrating these comprehensive authorization mechanisms, ensures that data access is both secure and efficient, catering to the diverse needs of modern enterprises.

Authorization Types

Authz Type	Description
ACLs (Access Control Lists)	Define explicit permissions for specific users or groups, controlling who can perform actions on particular resources.
RBAC (Role-Based Access Control)	Assign permissions based on user roles, simplifying management by grouping users with similar access needs.
ABAC (Attribute-Based Access Control)	Use attributes (user, resource, environment) to enforce dynamic, context-aware policies.
ReBAC (Relationship-Based Access Control)	Control access based on relationships between entities, providing fine-grained access control.

Defining Access Rules

Access Levels

Access rules in Data API block are defined at two levels entity-level and row-level.

Entity Level

Rules defined here are broad-based based on entity.

Give list of actions an user can perform on the entity
Give access to specific fields based on the user

1
access:
2
  actions:
3
    language: js
4
    rule: |
5
      if (user.roles.includes["Admins"]) {
6
        return ["create", "read", "update", "delete", "purge", "unmask"]
7
      }
8
      return ["create", "read", "update", "delete"]
9
    read:
10
      language: js
11
      rule: |
12
        if (user.id == id)
13
          return "id,name".split(",")
14
        return "all"

Row Level

Rules defined here are specific to every single row

Give list of actions an user can perform on the single row.
Fetch related data and return more granular access data

Actions

Action	Description
read	read any records of the entity
create	create a new record for the entity
update	update any record of the entity
delete	soft-delete any record of the entity
purge	delete any record of the entity
unmask	permission to unmask, specific masked fields
untokenize	permission to untokenize, specific tokenize fields
decrypt	permission to decrypt, specific encrypted fields

Example

Let’s define access rules for customers like only Admin can create and access the data and the logged in user can view only their data.

Navigate to product name > Datastore > datastore name > Entity > entity name > Edit Entity > Access

1
fooddelivery > data > datastores > orders > customers.yaml
2

3
access:
4
    actions:
5
      rule: |
6
        if (user.roles.includes["Admin"]) {
7
          return ["create", "update", "delete", "read", "purge", "unmask"]
8
        }
9
        return ["create", "update", "delete", "read", "purge", "unmask"]
10
      language: js
11
    read:
12
      language: js
13
      rule: |
14
        if (user.id == id) return "id,name".split(",")
15
        return "all"
16
    update:
17
      language: js
18
      rule: |
19
        return "all"
20
    create:
21
      language: js
22
      rule: |
23
        return "all"