Access Control: Tags
Introduction
Tags are metadata that are applied to tasks and workflows. They can be used in many different ways - to note what applications use the task or workflow, or in the case of this article, what application/group has access to the workflow or task.
For access control, tags work in an identical manner to application access control, but with the advantage of visibility in the opposite direction. With tags, every workflow and task is 'tagged' with metadata, making it easier to determine what access is being provided.
Adding a Tag to a Workflow
There are several ways to add a tag to a workflow. In this section, choose between using the API or the Conductor UI for detailed instructions on both options.
- Conductor UI
- API
Conductor UI
To add a tag to a workflow via the Conductor UI, navigate to the Workflow Definitions
page, and find the workflow you wish to tag. In the Actions
Column, click the tag icon.
This will open a dialogue window that allows you to add a new tag. Type the key:value and press enter to add the workflow.
You may also remove tags using the same window by clicking the "X" next to the tag you wish to delete.
API
To add a tag key:value
to a workflow, use the endpoint /api/metadata/workflow/{name}/tags
. Here is the link to the Playground Swagger.
There are two ways to add a tag, using a POST
or a PUT
.
PUT
replaces the existing tags with the tags in the payload:
curl -X PUT "https://play.orkes.io/api/metadata/workflow/marketing_workflow/tags" \
-H "accept: */*" \
-H "X-Authorization: <access_token>" \
-H "Content-Type: application/json" \
-d "[{\"type\":\"METADATA\",\"key\":\"org\",\"value\":\"marketing\"}]"
POST
appends the existing tags with the tags in the payload.
curl -X PUT "https://play.orkes.io/api/metadata/workflow/marketing_workflow/tags" \
-H "accept: */*" \
-H "X-Authorization: <access_token>" \
-H "Content-Type: application/json" \
-d "[{\"type\":\"METADATA\",\"key\":\"org\",\"value\":\"marketing\"}]"
The other operators for this endpoint are:
GET
: lists all of the tags assigned to the workflow.
curl -X GET "https://play.orkes.io/api/metadata/workflow/marketing_workflow/tags" \
-H "accept: */*" \
-H "X-Authorization: <access_token>" \
-H "Content-Type: application/json" \
gives the response:
[
{
"type": "METADATA",
"key": "org",
"value": "IT"
},
{
"type": "METADATA",
"key": "org",
"value": "sales"
},
{
"type": "METADATA",
"key": "org",
"value": "marketing"
}
]
DELETE
: removes the specified tag from the workflow.
curl -X DELETE "https://play.orkes.io/api/metadata/workflow/marketing_workflow/tags" \
-H "accept: */*" \
-H "X-Authorization: <access_token>" \
-H "Content-Type: application/json" \
-d "[{\"type\":\"METADATA\",\"key\":\"org\",\"value\":\"marketing\"}]"
Adding a Tag to a Task
There are several ways to add a tag to a task. In this section, choose between using the API or the Conductor UI for detailed instructions on both options.
- Conductor UI
- API
Conductor UI
To add a tag to a task via the Conductor UI, navigate to the Task Definitions
page, and find the task you wish to tag. In the Actions
Column, click the tag icon.
This will open a dialogue window that allows you to add a new tag. Type the key:value and press enter to add the tag to the task.
You may also remove tags using the same window by clicking the "X" next to the tag you wish to delete.
API
To add a tag key:value
to a task, use the endpoint /api/metadata/task/{taskName}/tags
. Here is the link to the Playground Swagger.
There are two ways to add a tag, using a POST
or a PUT
.
PUT
replaces the existing tags with the tags in the payload:
curl -X PUT "https://play.orkes.io/api/metadata/task/marketing_task/tags" \
-H "accept: */*" \
-H "X-Authorization: <access_token>" \
-H "Content-Type: application/json" \
-d "[{\"type\":\"METADATA\",\"key\":\"org\",\"value\":\"marketing\"}]"
POST
appends the existing tags with the tags in the payload.
curl -X PUT "https://play.orkes.io/api/metadata/task/marketing_task/tags" \
-H "accept: */*" \
-H "X-Authorization: <access_token>" \
-H "Content-Type: application/json" \
-d "[{\"type\":\"METADATA\",\"key\":\"org\",\"value\":\"marketing\"}]"
The other operators for this endpoint are:
GET
: lists all of the tags assigned to the workflow.
curl -X GET "https://play.orkes.io/api/metadata/task/marketing_task/tags" \
-H "accept: */*" \
-H "X-Authorization: <access_token>" \
-H "Content-Type: application/json" \
gives the response:
[
{
"type": "METADATA",
"key": "org",
"value": "IT"
},
{
"type": "METADATA",
"key": "org",
"value": "sales"
},
{
"type": "METADATA",
"key": "org",
"value": "marketing"
}
]
DELETE
: removes the specified tag from the workflow.
curl -X DELETE "https://play.orkes.io/api/metadata/task/marketing_task/tags" \
-H "accept: */*" \
-H "X-Authorization: <access_token>" \
-H "Content-Type: application/json" \
-d "[{\"type\":\"METADATA\",\"key\":\"org\",\"value\":\"marketing\"}]"
Adding Access Control to a tag
- Conductor UI
- API
There are two ways to provide access to a Workflow on the dashboard:
- Access to a Group of users
- Access via API with Key:secret.
Let's walk through both examples.
Adding tags to a Group
If you have a group of users:
We can add the tag rings:true
, and with EXECUTE
permission to allow those users to run the workflow. Adding READ
permission will show the workflow in the dashboard for all of the users (but they will be unable to edit).
Clicking OK adds the tag to the Group.
Adding Tags to an Application
In order for users to access your application via the API, an application key:secret must be assigned. This can be added for each application and task individually, but to add a large number of workflows and tasks at once to an application, the tag can be used
By adding the rings:true
tag to this application, any JWT token generated by the application Key:secret can access the applications with that tag.
Adding permissions via the API uses the same endpoint for adding permissions to a Group of users or to an application. The endpoint to use is the /api/auth/authorization
endpoint.
In this example, we would like to add the TAG "rings:true" to a GROUP called doug_testing
. The BODY of the API call should be:
{
"subject": {
"type": "GROUP",
"id": "marketing_team"
},
"target": {
"type": "TAG",
"id": "org:marketing"
},
"access": [
"EXECUTE", "READ"
]
}
To add access via a TAG to an application, WE chang ethe SUBJECT.TYPE to USER and the id to app:{id of the application}. (NOTE: this will likely chnage to "type":"application" and the "id" just being the application ID.)
{
"subject": {
"type": "USER",
"id": "app:f7d30148-2493-4c71-a326-9409296deb7f"
},
"target": {
"type": "TAG",
"id": "org:sales"
},
"access": [
"READ","EXECUTE"
]
}