Configuring custom Watch Folder permissions policies in the GUI

By default, users are not allowed to perform any Watch Folders related actions, unless they are configured with admin ACLs. If you do not want every user to have admin permissions, configure users with customized permissions policies, including whether they are allowed or denied permission to create Watch Folders, create Watch and Watch Folder services, and edit policies. The policy is a JSON object that is assigned to specific users. Users can be assigned to multiple policies to incrementally allow or deny permissions.

Polices can be managed in the GUI or the command line. For command line instructions, see Configuring custom Watch Folder permissions policies.

Create a permission policy

Go to Watch Folders > Services and policies (Services & Policies) > Policies. Click Click Plus create a policy to create a new policy. Select the template from which to build your policy:

  • Empty: A blank template. You must enter policy settings; a blank policy is not supported.
  • All permissions: A template that allows all actions on all resources.
  • All watch folders: A template that allows Watch Folder only related actions on any Watch Folder, and gives the user permission to view a list of Watch Folder services.

Policy syntax

A permissions policy is a JSON object with the following syntax:

{
   "id": "policy_name",
   "statements": [
      {
         "effect": "effect_value",
         "actions": [
            "permission_1",
            "permission_2",
            ...
            "permission_n"
         ],
         "resources": [
            "resource_id"
         ]
      }
   ]
}

The placeholders take the following values:

  • policy_name: A descriptive name for the policy, such as only-wfd-aspera. If no value is specified, a UUID is generated and returned in the output when the policy is created.
  • effect_value: Set to ALLOW or DENY.
  • permission: An action that the user is allowed or denied, depending on effect_value. Values can use * to match any sequence of characters. For example, to allow all Watch Folder related actions, enter WF_*. See the following section for a complete list of permissions.
  • resource_id: For Watch Folder-related permissions, specify the resources to which the actions apply by their Aspera® Resource Name (ARN), by using the following general syntax: 
    arn:service:resource_type:resource

    Where service identifies the product (watchfolder or watch), resource_type is the type of resource (wfd for a Watch Folder daemon, wf for a Watch Folder), and resource is the resource ID, or a series of IDs to specify the daemon and Watch Folder ID of a specific Watch Folder. See the following section for examples.

Actions

The following actions are permissions to create, delete, and view policies, and assign users to policies. These actions do not require that you specify a value for resources. To allow all permissions, use PERM_*.

  • PERM_CREATE_POLICY
  • PERM_DELETE_POLICY
  • PERM_LIST_POLICIES
  • PERM_ATTACH_USER_POLICY
  • PERM_DETACH_USER_POLICY
  • PERM_LIST_USER_POLICIES

The following actions create, delete, and view Watch and Watch Folder services. These actions do not require that you specify a value for "resources". Users without these permissions must create Watch Folders that use existing Watch and Watch Folder services.

  • PERM_LIST_RESOURCES
  • PERM_CREATE_RESOURCE
  • PERM_DELETE_RESOURCE

The following actions create and delete Watch Folders. These actions require that you specify the wfd resource, as arn:watchfolder:wfd:daemon. To allow actions on Watch Folders as any daemon, use arn:watchfolder:wfd:*.

  • WF_CREATE_WATCHFOLDER
  • WF_DELETE_WATCHFOLDER
Note: Node API users must have PERM_LIST_RESOURCES allowed, so it can allow WF_CREATE_WATCHFOLDER or WF_DELETE_WATCHFOLDER.

The following actions retrieve Watch Folder configuration and state, update the Watch Folder, and retry a Watch Folder drop. These actions require that you specify the wf resource, as arn:watchfolder:wf:daemon:watchfolder_id. To allow actions on any Watch Folders run by any daemon, use arn:watchfolder:wf:*:*.

  • WF_GET_WATCHFOLDER
  • WF_GET_WATCHFOLDER_STATE
  • WF_UPDATE_WATCHFOLDER
  • WF_RETRY_DROP

To allow all Watch Folder actions on all Watch Folders, enter "WF_*" as the action and "arn:watchfolder:wfd:*" as the resource.

Assigning Node API users to policies

Go to the Policies tab in the GUI and select the policy. Click Attach a Node API user to a policy (Attach a Node API user to a policy) and enter the Node API user to which to assign the policy. Assign users to multiple policies to incrementally build their permissions.

To remove a Node API user from a policy, select the user and click Detach the selected user from the policy.

Editing policies

Select the policy. Click Edit policy.

To test that your edits have produced a valid policy, click Validate. To cancel your changes, click Cancel. To save your changes, click Save.

Note: The policy name ("id") cannot be edited. To change the name, create a new policy.