Authorization Service Overview¶
The Authorization Service is a core component of the Sidra platform that provides fine-grained control over access to data and platform resources. It enables administrators to define, assign, and manage permissions for both users and applications across Sidra’s ecosystem.
Sidra leverages Balea, a role-based access control (RBAC) framework, to model and enforce authorization policies. The service integrates seamlessly with Sidra’s authentication layer, supporting permissions at multiple scopes—such as Data Storage Units (DSUs), Providers, and Entities.
Authorization data is persisted in a dedicated set of tables and managed through the Sidra Web UI. This interface provides full visibility into authorization subjects (users or applications), roles, delegations, and access permissions, making it easy to manage access control at scale.
Managing Authorization in Sidra Web¶
Sidra’s Web UI is built to expose and manage all components of the Balea Authorization Framework. Users can browse registered applications, assign roles to users or applications, and manage permission mappings across Sidra services and Data Products.
Each Data Product is treated as an authorization application with its own unique ClientId
, allowing Sidra to isolate permissions per product while maintaining centralized governance.
The UI provides multiple views to manage different aspects of the authorization framework:
Authorization Users View¶
The Authorization Users View displays all authorization subjects—either individual users or applications—registered in the system.
Users can inspect roles and delegations per subject and add new delegations with validity dates, enabling controlled access delegation across applications.
Authorization User Detail View¶
The User Detail View allows administrators to configure access for a subject on a per-application basis. For each application, you can:
- View and assign/unassign roles
- Edit fine-grained permissions (read, write, delete) on metadata resources like Providers and Entities
Authorization Applications View¶
The Applications View lists all applications integrated with the authorization system. Each application can define its own set of roles, permissions, and subject-role mappings, allowing tailored access control for every Data Product or internal tool.
Authorization Application Detail View¶
Each application view includes two key sections:
- Roles: Add/edit/delete roles, map authentication roles to authorization roles, and enable or disable roles for the application
- Permissions: View and filter effective permissions resulting from assigned roles
Permissions are implicitly linked to roles, enabling clean and scalable access definition.
Authorization API Keys View¶
This view enables the creation and management of API keys for client systems, including expiration settings. API keys can be revoked at any time via the interface.
Known Issues¶
- When creating new roles for a Data Product, the role may not appear immediately in the UI after refreshing. A workaround is to clear the session cache or refresh the view manually.