Glossary
Backend
External Service which wants to use Shield for authz. It can verify access via Shield Proxy & API.
Permission
Ability to carry out any action, in Shield or configured Backends.
Principal
To whom we can grant Permission to. They can be of types:
- User: A person or service account who can be a Principal. It is identified by Email ID.
- Group: Collection of Users.
- All Registered Users: Collection of users who have registered in Shield. Any user who registers in Shield becomes part of this Principal.
Resource
Entity which needs authorization to be accessed. For example, a GCE instance is a resource over which we need permission such as edit & view.
Resource Type
Classification that contains Resource instances. For example, GCE can be a resource type for GCE instances.
Project
By which we can group Resources, of various different Resource Types, who have common environment.
Organization
Organization is the root node in the hierarchy of Resources, being a collection of Projects.
Namespace
Type of objects over which we want authorization. They are of two types:
System Namespace: Objects like Organization, Project & Team, over which we need authorization to actions such as adding user to team, adding user as owner of project.
Resource Namespace: Resources Types over which we need authorization. For example, we need edit & view permissions over GCE Instances.
Role
Its an IAM Identity that describes what are the permissions one Principal has.
Policy
Defines what Permission does a Role have.
Entity
Instance of a namespace.
Spicedb
SpiceDB is a Zanzibar-inspired open source database system for managing security-critical application permissions.