... | ... | @@ -27,7 +27,7 @@ For each group you can either be added as an OWNER or a MEMBER. The only differe |
|
|
- resourceName ∈ {'welldb', 'npd', 'ihs', 'datalake', 'public', ...}
|
|
|
- permission ∈ {'viewers', 'editors', 'admins' ...}
|
|
|
- slb-data-partition-id ∈ {'slb', 'common', ...}
|
|
|
- domain ∈ {'evd.cloud.slb-ds', 'evt.cloud.slb-ds', 'p4d.cloud.slb-ds', ...}
|
|
|
- domain ∈ {'instance.osdu.opengroup.org', ...}
|
|
|
|
|
|
As shown, a group is unique to each data partition. This means that access is defined on a per data partition basis i.e. giving a service permission in one data partition does not give that user service permission in another data partition. See below for more information on data partitions.
|
|
|
|
... | ... | @@ -68,9 +68,7 @@ Applicable _slb-data-partition-id_ values are: |
|
|
|
|
|
| **_Environment_** | **_slb-data-partition-id_** |
|
|
|
| --- | --- |
|
|
|
| EVD | _tenant1_, _tenant2_, _common_ |
|
|
|
| EVT | _tenant1_, _tenant2_, _common_ |
|
|
|
| P4D | _slb_, _customer_, _common_ |
|
|
|
| Prod | _slb_, _customer_, _common_ |
|
|
|
|
|
|
[Back to table of contents](#TOC)
|
|
|
|
... | ... | @@ -249,11 +247,11 @@ This means that service must provide SAuth token for the service account it uses |
|
|
|
|
|
### 2. Ensuring service is a member in desired data partition
|
|
|
|
|
|
Service account email for the service making the calls to Data Ecosystem APIs in specific data partition, should be added to users of the data partition in question. For example, _storage@p4d-ddl-us-services.iam.gserviceaccount.com_ should be added to _users@slb.p4d.cloud.slb-ds.com_.
|
|
|
Service account email for the service making the calls to Data Ecosystem APIs in specific data partition, should be added to users of the data partition in question. For example, _storage@instance.osdu.opengroup.org_ should be added to _users@instance.osdu.opengroup.org_.
|
|
|
|
|
|
### 3. Ensuring service can use Entitlements service
|
|
|
|
|
|
Service account email for the service using Entitlements service to perform service authorization in specific data partition, should be added to users of the entitlements service (group named _service.entitlements.user_). For example, _storage@p4d-ddl-us-services.iam.gserviceaccount.com_ should be added to _service.entitlements.user@slb.p4d.cloud.slb-ds.com_.
|
|
|
Service account email for the service using Entitlements service to perform service authorization in specific data partition, should be added to users of the entitlements service (group named _service.entitlements.user_). For example, _storage@instance.osdu.opengroup.org_ should be added to _service.entitlements.user@instance.osdu.opengroup.org_.
|
|
|
|
|
|
### 4. Authorizing calls to your service/API/backend
|
|
|
|
... | ... | |