Skip to main content

Revoke Access Template

By using this kind of template, you are revoking access for a resource to one or more users. The template looks like the following one:

apiVersion: witboost.com/v1
kind: AccessControlRequestTemplate
metadata:
name: revoke-request-template
title: Revoke Request
description: Template definition for revoking access
spec:
type: revoke
owner: datameshplatform
parameters:
- title: Revoke Request
required:
- identities
- motivation
properties:
identities:
title: Identities
type: array
description: Select users/groups that you are requesting a revoke
ui:field: AccessControlListPicker
ui:options:
allowedKinds:
- user
- group
motivation:
title: Motivation
type: string
description: Motivate your request
ui:options:
multiline: true
rows: 6

steps:
- id: send_request
name: Send Request
action: revoke-request:send
input:
identities: '${{ parameters.identities }}'
fields:
identities: '${{ parameters.identities }}'
motivation: '${{ parameters.motivation }}'
displayFields:
- title: Motivation
text: '${{ parameters.motivation }}'

It has the same structure of a standard template, so any picker can be used in the parameters section. The main differences are the following:

  • the kind must be AccessControlRequestTemplate
  • the spec.type must be revoke
  • the spec.steps part is mandatory, and follows the above schema. For an Access Control Request Template to work properly, the action with value revoke-request:send must be defined.
  • the spec.steps.input.fields object allows you to define all the fields that you want to attach to the request and that will be sent to an external service, if configured.
info

The identities field is required by witboost in order to know which are the subjects interested in this access request or revoke request.

How to use it

In order to access the revoke template, you must enable the configuration in your values.yaml in order to unlock the revoke button. In particular, you must enable the following value:

mesh:
marketplace:
ui:
accessControl:
enableRevokeRequest: true
info

Remember that you can navigate to the access control panel only if you are the owner of the resource.