Platform Access Control
IAM provides role-based access control (RBAC) and ACL-based permission models to meet complex enterprise needs for fine-grained access control, enabling professional and precise enterprise permission management.
Permission Groups
Permission groups are combinations of menu-level permissions. These pre-configured groups can be assigned directly to a role to simplify authorization.
Platform Roles
Platform roles govern UI and feature access. Once a user is assigned a role, they inherit access to the role's menus and functions.
| Role Type | Description |
|---|---|
| Standard Role | Supports user binding, data access scope, and data masking policies. |
| Hierarchical Role | In addition to standard role settings, includes configuration for Managed User Data Scope and Managed Application Data Scope. Hierarchical roles are restricted to data within their managed scope. |
Data Masking Policy Binding
One or more Data Masking Policies can be bound to roles. If a user is assigned roles that all have a policy enabled (e.g., masking phone numbers), then that user will only see masked phone numbers.
Role Disable/Delete
| Action | Description |
|---|---|
| Disable | Users remain bound to the role but temporarily lose associated permissions. Permissions are restored once the role is re-enabled. |
| Delete | Automatically unbinds the role from all users. Affected users lose access to permissions granted by the role. |
Data Permissions
Data permissions define read/write access to database fields. For each role, specific field-level permissions can be configured. Write permission implies read permission.
Open API Access Management
This module secures and manages the configuration of open APIs for external integration.
| Config Item | Description |
|---|---|
| Name | Label for identifying the token configuration. This is for internal display only. |
| Auth Type | Supports two modes: Basic and JWT. Basic Mode: Token is static, can be used indefinitely. JWT Mode: Token is time-limited and one-time use (Strict Mode), or reusable within a valid time window (Standard Mode). • Strict: Single-use, expires after 60s • Standard: Reusable during the configured validity period |
| API Key & Secret | Credential pair required to fetch a valid access token. |
| IP Whitelist | Only listed IP addresses can access the open API using the generated token. |
| API List | Select one or more open APIs. Tokens can be used to access only selected APIs. |
How to Call Open APIs
After token setup, follow the steps below:
- Configure the token, select open APIs, generate API Key and Secret.
- Use the API Key to request a valid authentication token.
JWT Mode
- Request token:
GET /esc-idm/acl/jwt-secret/token - Use returned JWT token to call protected APIs
Basic Mode
- Request token:
GET /esc-idm/acl/jwt-secret/token-basic - Use returned Basic token to call protected APIs
Token Disable/Delete Behavior
| Action | Effect |
|---|---|
| Disable | Token can still be retrieved, but calls using it will return an invalid token error. |
| Delete | API Key becomes invalid and cannot be used to retrieve tokens. All API access is blocked. |