1. Overview

In a plug-in of the Parametric Access Control type, you can define conditions based on the request parameters or context of an API operation to which the plug-in is bound. This allows you to decide whether to deliver an API request to the backend of an API operation. For information about how to define parameters and write conditional expressions, see Parameters and conditional expressions.

2. Configurations

Assume that a plug-in of the Parametric Access Control type is bound to an API operation. The request path of the API operation is /{userId}/.... The JSON Web Token (JWT) authorization feature is configured for the API operation and two claim parameters, userId and userType, are defined. In this case, you can define the following conditions:

  • If the userType parameter is set to admin, all request paths are allowed.
  • If the userType parameter is set to user, only requests with the `/{userId}/...` path are allowed.
---
#
# In this example, the request path of the API operation is `/{userId}/...`. 
# The JWT authorization feature is configured for the API operation and two claim parameters, userId and userType, are defined.
# You can define the following conditions:
# - If the userType parameter is set to admin, all request paths are allowed.
# - If the userType parameter is set to user, only requests with the `/{userId}/...` path are allowed.
parameters:
  userId: "Token:userId"
  userType: "Token:userType"
  pathUserId: "path:userId"
#
# The following rules are defined based on the preceding parameters. For each API request, the plug-in of the Parametric Access Control type checks the rules in sequence. If the condition in a rule is met, the result is `true` and the action that is specified by the `ifTrue` parameter is performed. If the condition in a rule is not met, the result is `false` and the action that is specified by the `ifFalse` parameter is performed.
# The action `ALLOW` indicates that the request is routed to the backend. The action `DENY` returns an error code to the client. After the `ALLOW` or `DENY` action is performed, the plug-in does not check the remaining rules.
# If neither the `ALLOW` action nor the `DENY` action is performed, the plug-in continues to check the next rule.
rules:
  - name: admin
    condition: "$userType = 'admin'"
    ifTrue: "ALLOW"
  - name: user
    condition: "$userId = $pathUserId"
    ifFalse: "DENY"
    statusCode: 403
    errorMessage: "Path not match ${userId} vs /${pathUserId}"
    responseHeaders:
      Content-Type: application/xml
    responseBody: 
      <Reason>Path not match ${userId} vs /${pathUserId}</Reason>

3. Error codes

Error code HTTP status code Error message Description
A403AC 403 Access Control Forbidden by ${RuleName} The error message returned because the request is rejected by the plug-in of the Parametric Access Control type that is bound to the API operation.

4. Limits

  • A maximum of 16 parameters can be defined in each plug-in of the Parametric Access Control type.
  • Each conditional expression can contain a maximum of 512 characters.
  • For each plug-in of the Parametric Access Control type, you can configure a maximum of 16,380 bytes of metadata.
  • A maximum of 16 rules can be configured in each plug-in of the Parametric Access Control type.