Managing Conditions

Operators allowed to manage other actors can add new restrictions to other Operators. To manage restrictions, an admin Operator will make use of the Operator Access API and include restrictions to an operator access.

For example, a certain factory admin with no restrictions would get all factories when listing places through the API:

GET /places
HTTP/1.1 200 OK
Content-Type: application/json

[
  {
    "id": "U8wQCBT7KXa4xHc5aCQk5pab",
    "createdAt": 1578062893343,
    "customFields": {},
    "tags": [],
    "updatedAt": 1578761145578,
    "name": "Cosmetique Active International (CAI)",
    "description": "Cosmétique Active International (CAI)",
    "position": {
      "type": "Point",
      "coordinates": [
        3.460977,
        46.181396
      ]
     },
    "address": {
      "street": "ZA LES ANCISES",
      "city": "Creuzier-le-Neuf",
      "country": "France",
      "countryCode": "FR"
    },
    "identifiers": {},
    "longitude": 3.460977,
    "latitude": 46.181396
  },
  {
    "id": "U8aQWUPTDBRWDmyCaBG5pwmp",
    "name": "Cosmétique Active Production (CAP)",
    "description": "Cosmétique Active Production (CAP)",
    "createdAt": 1578062818710,
    "customFields": {
      "type": "Factory"
    },
    "tags": [
      "Factory"
    ],
    "updatedAt": 1578761099372,
    "position": {
      "type": "Point",
      "coordinates": [
        3.412115,
        46.158034
      ]
    },
    "address": {
      "street": "28 rue de l'industrie",
      "postalCode": "03300",
      "city": "creuzier-le-vieux",
      "country": "France",
      "countryCode": "FR"
    },
    "identifiers": {
      "gs1:414": "3016050700019"
    },
    "longitude": 3.412115,
    "latitude": 46.158034
  }
]

In order to restrict a factory admin Operator to a given factory, an account admin would update the operator access through the API and add a restrictive condition to the conditions array in the form of
factoryId:$ID_OF_THE_FACTORY:

PUT /accounts/:accountId/operatorAccess/:operatorAccessId
Content-Type: application/json
Authorization: $OPERATOR_API_KEY

{
  "conditions": [
    "factoryId:U8wQCBT7KXa4xHc5aCQk5pab"
  ]
}

This way, when the factory admin tries to list all factories, he or she will get only the ones listed in his or her conditions:

GET /places
HTTP/1.1 200 OK
Content-Type: application/json

[
  {
    "id": "U8wQCBT7KXa4xHc5aCQk5pab",
    "createdAt": 1578062893343,
    "customFields": {},
    "tags": [],
    "updatedAt": 1578761145578,
    "name": "Cosmetique Active International (CAI)",
    "description": "Cosmétique Active International (CAI)",
    "position": {
      "type": "Point",
      "coordinates": [
        3.460977,
        46.181396
      ]
     },
    "address": {
      "street": "ZA LES ANCISES",
      "city": "Creuzier-le-Neuf",
      "country": "France",
      "countryCode": "FR"
    },
    "identifiers": {},
    "longitude": 3.460977,
    "latitude": 46.181396
  }
]

📘

Condition on Factory ID

A condition on factoryId may have different meanings on different APIs, check out the available restrictive conditions the platform currently supports, what APIs are affected by each condition, and how these APIs will filter out those conditions.
For example, for a given API key with factoryId conditions, the Places API will only retrieve places which id matches the condition id.

See Operator Access to learn about restrictions the platform supports and their syntax.


Restriction inheritance

Restrictive conditions are inherited from whom is assigning them, so that elevated privileges are blocked upon Operator management.

When Operators restricted to a certain attribute value are creating or updating other Operator accesses, their restrictions must be applied to their subordinate Operators as well, otherwise the platform will respond with an error.

For example: A given factory admin has a restrictive condition on the Cosmetique Active International factory. This would be her operator access payload:

{
  "id": "UsFQTQPFKG7UHraab3wE3Fhb",
  "name": "OperatorName",
  "operator": "UP2tcQ4CdAnTDpVF2d4r9Gpf",
  "policies": [
    "UPb7Eq8hwpktcaaabfahfpdq"
  ],
  "conditions": [
    "factoryId:U8wQCBT7KXa4xHc5aCQk5pab"
  ],
  "identifiers": {},
  "tags": [],
  "customFields": {},
  "createdAt": 1586442216863,
  "updatedAt": 1586442216863
}

Now, given this factory admin invites another operator to her account through the API, the factory admin will be forced to include at least one condition that she possesses, otherwise the new Operator would not be restricted at all and consequently have more access than the factory admin:

POST /accounts/:accountId/operatorAccess
Content-Type: application/json
Authorization: $OPERATOR_API_KEY

{
  "name": "OperatorName",
  "operator": "UP2tcQ4CdAnTDpVF2d4r9Gpf",
  "policies": [
    "$FACTORY_USER_ROLE_ID"
  ],
  "conditions": [],
  "identifiers": {},
  "tags": [],
  "customFields": {}
}
HTTP/1.1 400 Bad Request
Caller access exceeded. The following conditions must be present: factoryId:U8wQCBT7KXa4xHc5aCQk5pab

Moreover, extra conditions are also blocked through the API:

POST /accounts/:accountId/operatorAccess
Content-Type: application/json
Authorization: $OPERATOR_API_KEY

{
  "name": "OperatorName",
  "operator": "UP2tcQ4CdAnTDpVF2d4r9Gpf",
  "policies": [
    "$FACTORY_USER_ROLE_ID"
  ],
  "conditions": [
    "factoryId:U8wQCBT7KXa4xHc5aCQk5pab",
    "factoryId:U8aQWUPTDBRWDmyCaBG5pwmp"
  ],
  "identifiers": {},
  "tags": [],
  "customFields": {}
}
HTTP/1.1 400 Bad Request
Caller access exceeded. Extra conditions cannot be provided: factoryId:U8aQWUPTDBRWDmyCaBG5pwmp

See Operator Access and Access Tokens in the API Reference section for more detailed API examples.

Updated 7 months ago

Managing Conditions


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.