Skip to content

Migrating from Role Grants to Access Rules

Evan Todd edited this page Feb 21, 2022 · 3 revisions

To increase flexibility when managing thousands of Resources, Role Grants have been deprecated in favor of Access Rules, which allow you to grant access based on Resource Tags and Type.

The following examples demonstrate the deprecated Role Grants, Dynamic Access Rules with Tags and Resource Types, and Static Access Rules for backwards compatibility with Role Grants.

Important Versioning Caveat

This guide only applies to version 2.0 and up of the Java SDK. Prior to 2.0, the SDK includes only rudimentary beta support for access rules. Prior to 0.9.31, it does not support access rules at all. We strongly recommend upgrading to 2.0 when it is available.

Furthermore, before you can use access rules, your organization must undergo the "Access Overhaul" migration to enable the new UI and a myriad of other features. Contact [email protected] to learn more.

Role Grants (deprecated)

Previously, you would grant a role access to specific resources by ID via role grants:

Role role = new Role();
role.setName("Engineering");
role = client.roles().create(role).getRole();

Redis resource = new Redis();
resource.setName("Session Cache Server");
resource.setHostname("example.com");
resource.setPort(6379);
resource.setPortOverride(4020);
resource.setTags(java.util.Map.of(
	"env", "staging"
));
resource = (Redis)client.resources().create(resource).getResource();

RoleGrant roleGrant = new RoleGrant();
roleGrant.setRoleId(role.getId());
roleGrant.setResourceId(resource.getId());
roleGrant = client.roleGrants().create(roleGrant).getRoleGrant();

Dynamic Access Rules

When using Access Rules the best practice is to grant Resources access based on Type and Tags.

// grant access to all dev environment resources in us-west
AccessRule rule1 = new AccessRule();
rule1.setTags(java.util.Map.of(
	"region", "us-west",
	"env", "dev",
));

// grant access to all postgres resources
AccessRule rule2 = new AccessRule();
rule2.setType("postgres");

// grant access to all redis resources in us-east
AccessRule rule3 = new AccessRule();
rule3.setType("redis");
rule3.setTags(java.util.Map.of(
	"region", "us-east",
));

Role role = new Role();
role.setName("Engineering");
role.setAccessRules(java.util.List.of(rule1, rule2, rule3));
role = client.roles().create(role).getRole();

Static Access Rules

If it is necessary to grant access to specific Resources in the same way as RoleGrants did, you can use Resource IDs directly in Access Rules.

Resource resource = client.resources().get(resourceId).getResource();

Role role = client.roles().get(roleId).getRole();

AccessRule rule = new AccessRule();
rule.setIds(java.util.List.of(resource.getId()));

role.setAccessRules(java.util.List.of(rule));
role = client.roles().update(role).getRole();