User Permissions
Last updated: 2 minutes read.
The Tyk Dashboard is multi-tenant capable and allows granular, role based user access. Users can be assigned specific permissions to ensure that they only have very specific access to the Dashboard pages, and to the underlying API.
It is important to note that all user roles are defined and enforced at the Dashboard API level, and the UI is merely reactive.
Admin users
An admin user has full read/write access to all properties. The initial user created during the bootstrapping of the Dashboard is automatically assigned the admin role.
User permissions in the Tyk Dashboard API
The permissions object, which is provided to the Dashboard API has this structure:
"user_permissions": {
"IsAdmin": "false",
"analytics": "read",
"apis": "write",
"hooks": "write",
"idm": "write",
"keys": "write",
"policy": "write",
"portal": "write",
"system": "write",
"users": "write",
"user_groups": "write",
"audit_logs": "read"
}
Note that the above list may not be complete as more features and flexibility are added to the Tyk Dashboard.
The way the permissions object works is that:
- if it contains
"IsAdmin":"true"
, the user is an admin - if it contains no properties, the user is assumed to be an admin
- if it contains even just one property, it acts as an allow-list: only the listed properties are allowed
- any non-listed properties are denied
- permissable values for each section (other than
IsAdmin
) are:read
orwrite
; to deny access to a property you must remove the property from theuser_permissions
object
An admin user can be identified either by setting IsAdmin
to true
or by setting no properties in the user_permissions
object.
User permissions in the Tyk Dashboard API
User permissions are configured in the user detail view:
The configuration of each property will affect the dashboard navigation, with denied
sections or screens hidden or disabled. Note that some side-effects can occur if pages that make use of multiple APIs to fetch configuration data cross over e.g. policies and API Definition listings.
Selecting the Account is Admin checkbox from the Dashboard gives the user full access (it has the same effect as the IsAdmin
property).
Custom user permissions
You can create your own custom permissions for use with the Open Policy Agent (OPA) using the Additional Permissions endpoint in the Tyk Dashboard Admin API. This allows you to add and delete (CRUD) a list of additional (custom) permissions for your Dashboard users. Once created, a custom permission will be added to standard list of user permissions.
You can also configure these custom permissions in the security.additional_permissions
map in the Tyk Dashboard configuration file.