With Release 16, PolyAPI introduces explicit fine-grained permissions for admin keys, marking a significant evolution in managing admin rights. Previously, admin keys carried implicit permissions for tenant administration and user/key management, which were automatically granted to all keys assigned to admins. While PolyAPI already offered extensive permissions management, the absence of explicit controls for these admin-level operations posed challenges for more nuanced security and collaboration needs.
Explicit Permissions for Admin Keys
In this release, we’ve explicitly assigned tenant and user administration permissions to admin keys. This change ensures that admin keys can now be scoped with the same level of granularity as user keys. Admins can actively collaborate with development teams without introducing unnecessary risks, offering greater flexibility in how keys are used and managed.
Comprehensive Permissions Framework
A PolyAPI key can now be scoped with the following permissions, enabling fine-tuned control over access and operations. As a reminder, all permissions are scoped to a specific environment, except for Tenant Administration and User Administration, which apply at the tenant level and can only be assigned to admin keys.
- Execute Functions: Invoke and use all primitives in Poly (API Functions, Server Functions, Webhooks, etc.) through generated libraries or execution endpoints.
- Generate Library: Generate SDKs for streamlined integration.
- Custom Dev: Deploy and redeploy client and server functions.
- Auth Config: Configure and manage authentication providers.
- Manage Resources: CRUD (Create, Read, Update, Delete) operations for:
- API Functions (including training)
- Webhooks
- Variables (non-secrets)
- Secrets
- Triggers
- Snippets (including publication from CLI)
- Applications
- Use Applications: Access Canopy applications, such as the Poly Management UI, protected by PolyAPI keys.
- Manage Users: CRUD operations for users and API keys across all environments in the tenant (Admin-only).
- Manage Tenant: Configure tenant-level settings, view audit logs, manage environments, and perform future capabilities such as tier changes (Admin-only).
Additionally, all users with a valid key retain the right to leverage the Poly AI Assistant for enhanced productivity.
Reflecting PolyAPI’s Core Values
At PolyAPI, we’re committed to creating an intuitive yet powerful platform. This philosophy extends to security, where we empower admins to make informed decisions about balancing ease of use and security. With fine-grained permissions, admins can tailor access controls on a per-environment basis, granting broad permissions in one environment while maintaining strict limitations in another.
This new feature underscores our mission to simplify API management while enhancing seamless integration experiences. By introducing explicit permissions, we’re not just making PolyAPI more secure but also more adaptable to the diverse needs of our users.
Learn More
Ready to explore the benefits of fine-grained permissions or have questions about PolyAPI? Reach out to us at hello@polyapi.io – we’d love to hear from you!