API Access Control

Blameless providers users with the ability to manage API access control via users, groups and roles. Each API endpoint can have at most one rule associated with it.

The authorization hook is associated with a (verb, resource,rule) tuple. If the user's identity has a matching rule, then calling the (verb, resource) API is granted.

All users with matching rules and permissions are permitted access to the endpoint. Any endpoint without a rule (i.e. None) are accessible by all authenticated users.

API Access Control Examples

Authorization

The authorization hook is associated with a (verb, resource,rule) tuple. If the user's identity has a matching rule, then calling the (verb, resource) API is granted.

For example, the health does not have access control, while GET /api/v1/incidents requires the IncidentRead rule.

• None: GET /
• None: GET /api/v1/health
• None: GET /api/v1/info/auth
• IncidentRead: GET /api/v1/incidents
• IncidentRead: GET /api/v1/incidents/<int:incident_id>
• IncidentRoleRead: GET /api/v1/incident-roles
• None: GET /api/v1/postmortem-states
• IncidentCreate: POST /api/v1/incidents
• IncidentTicketCreate: PUT /api/v1/incidents/<int:incident_id>/ticket
• None: GET /api/v1/integration/servicenow/fields/<string:ticket_id>
• IncidentMemberDelete: DELETE /api/v1/incidents/<int:incident_id>/team/<string:member_id>
• IncidentUpdate: PUT /api/v1/incidents/<int:incident_id>
• IncidentDelete: DELETE /api/v1/incidents/<int:incident_id>
• TaskRead: GET /api/v1/tasks
• TaskRead: GET /api/v1/tasks/<int:task_id>
• IncidentTaskRead: GET /api/v1/incidents/<int:incident_id>/tasks
• IncidentTaskUpdate: PATCH /api/v1/incidents/<int:incident_id>/tasks
• IncidentTaskCreate: POST /api/v1/incidents/<int:incident_id>/tasks
• IncidentTaskUpdate: PUT /api/v1/incidents/<int:incident_id>/tasks/<int:task_id>
• IncidentTaskDelete: DELETE /api/v1/incidents/<int:incident_id>/tasks/<int:task_id>
• None: GET /api/v1/actions
• IncidentActionRead: GET /api/v1/actions/<int:action_id>
• IncidentActionRead: GET /api/v1/incidents/<int:incident_id>/actionsMetadata
• IncidentActionRead: GET /api/v1/incidents/<int:incident_id>/actions
• IncidentActionCreate: POST /api/v1/incidents/<int:incident_id>/actions
• IncidentActionUpdate: PUT /api/v1/incidents/<int:incident_id>/actions/<int:action_id>
• IncidentActionDelete: DELETE /api/v1/incidents/<int:incident_id>/actions/<int:action_id>
• None: GET /api/v1/events
• None: GET /api/v1/events/<int:event_id>
• IncidentEventRead: GET /api/v1/incidents/<int:incident_id>/events
• IncidentEventCreate: POST /api/v1/incidents/<int:incident_id>/events
• IncidentEventUpdate: PUT /api/v1/incidents/<int:incident_id>/events/<int:event_id>
• IncidentEventDelete: DELETE /api/v1/incidents/<int:incident_id>/events/<int:event_id>
• IncidentPostmortemRead: GET /api/v1/incidents/<int:incident_id>/postmortem
• IncidentPostmortemRead: POST /api/v1/incidents/<int:incident_id>/postmortem/download/<string:extension>
• IncidentPostmortemRead: GET /api/v1/incidents/<int:incident_id>/collaborative_editor
• IncidentPostmortemCreate: POST /api/v1/incidents/<int:incident_id>/postmortem
• IncidentPostmortemCreate: POST /api/v1/postmortems
• IncidentPostmortemUpdate: PUT /api/v1/incidents/<int:incident_id>/postmortem
• None: GET /api/v1/metrics/postmortem-aggregates
• IncidentPostmortemRead: GET /api/v1/open_postmortems
• IncidentPostmortemRead: GET /api/v1/postmortems
• DashboardChartRead: GET /api/v1/dashboards/<string:dashboard_id>/charts/<string:chart_id>
• DashboardRead: GET /api/v1/dashboards/<string:dashboard_id>
• None: GET /api/v1/tags/search
• None: PUT /api/v1/incidents/<int:incident_id>/postmortem/tag
• None: DELETE /api/v1/incidents/<int:incident_id>/postmortem/tag
• None: GET /api/v1/tags
• IncidentTagCreate: POST /api/v1/tag
• UserinfoRead: GET /api/v1/slack-users-phone
• None: GET /api/v1/slack-channels
• PrivatechannelRead: GET /api/v1/search-slack-channels
• PrivatechannelRead: GET /api/v1/incidents/<int:incident_id>/slack-channels
• UserinfoRead: GET /api/v1/slack-users
• None: GET /api/v1/users/jira
• None: POST /api/v1/integration/jira/test
• None: GET /api/v1/integration/jira/projects
• None: GET /api/v1/integration/jira/project_issue_types
• None: GET /api/v1/integration/probes
• None: GET /api/v1/metrics/tags
• SettingRead: GET /api/v1/settings-metadata
• SettingRead: GET /api/v1/settings-metadata/<string:field_name>/search/<string:search_text>
• IncidentRead: GET /api/v1/settings-metadata/get_options
• SettingRead: GET /api/v1/settings/metadata
• SettingRead: GET /api/v1/settings/<string:section_id>
• SettingRead: GET /api/v1/settings/<string:section_id>/<string:sub_section_id>
• SettingRead: GET /api/v1/settings-section
• SettingUpdate: POST /api/v1/settings
• None: GET /api/v1/timezone-setting
• SettingRead: GET /api/v1/settings
• None: GET /api/v1/slack-oauth-url
• None: GET /api/v1/google-calendar-oauth-url
• None: GET /api/v1/google-calendar-oauth-callback-url
• None: GET /api/v1/integrations
• None: GET /api/v1/slo/dataproviders
• IncidentCommunicationRead: GET /api/v1/incidents/<int:incident_id>/communications
• IncidentCommunicationRead: GET /api/v1/incidents/communications/channels
• IncidentCommunicationRead: GET /api/v1/incidents/<int:incident_id>/internal_communications/<string:communication_id>
• IncidentCommunicationCreate: POST /api/v1/incidents/<int:incident_id>/internal_communications
• IncidentCommunicationUpdate: PUT /api/v1/incidents/<int:incident_id>/internal_communications/<string:communication_id>
• IncidentCommunicationExecute: PATCH /api/v1/incidents/<int:incident_id>/internal_communications/<string:communication_id>
• IncidentCommunicationRead: GET /api/v1/incidents/<int:incident_id>/external_communications/<string:communication_id>
• IncidentCommunicationCreate: POST /api/v1/incidents/<int:incident_id>/external_communications
• IncidentCommunicationUpdate: PUT /api/v1/incidents/<int:incident_id>/external_communications/<string:communication_id>
• IncidentCommunicationExecute: PATCH /api/v1/incidents/<int:incident_id>/external_communications/<string:communication_id>
• IncidentCommunicationRead: GET /api/v1/incidents/statuspage
• DashboardRead: GET /api/v1/boards
• DashboardRead: GET /api/v1/boards/<string:board_id>
• DashboardCreate: POST /api/v1/boards
• DashboardUpdate: PUT /api/v1/boards/<string:board_id>
• DashboardUpdate: PATCH /api/v1/boards
• DashboardDelete: DELETE /api/v1/boards/<string:board_id>
• DashboardTitleCreate: POST /api/v1/boards/<string:board_id>/tiles
• DashboardTitleUpdate: PUT /api/v1/boards/<string:board_id>/tiles/<string:tile_id>
• DashboardTitleDelete: DELETE /api/v1/boards/<string:board_id>/tiles/<string:tile_id>
• TopicRead: GET /api/v1/topics
• FactRead: GET /api/v1/facts
• TopicSegmentRead: GET /api/v1/topics/<string:topic_name>/segments
• TopicExecute: POST /api/v1/topics/<string:topic_name>/execute
• TopicExecute: POST /api/v1/topics/<string:topic_name>/validate
• DashboardTemplateRead: GET /api/v1/board_templates/<string:template_name>
• None: GET /api/v1/service-registry/services
• None: POST /api/v1/service-registry/services
• None: PUT /api/v1/service-registry/services/<int:service_id>
• None: GET /api/v1/slo/health
• SloCreate: POST /api/v1/slo/contact
• SloRead: GET /api/v1/slo/contact
• SloRead: GET /api/v1/slo/contact/<int:contact_id>
• SloCreate: POST /api/v1/slo/service
• SloRead: GET /api/v1/slo/service
• SloRead: GET /api/v1/slo/service/<int:service_id>
• SloCreate: POST /api/v1/slo/slio
• SloRead: GET /api/v1/slo/slio
• SloRead: GET /api/v1/slo/slio/<int:slio_id>
• SloUpdate: PUT /api/v1/slo/slio/<int:slio_id>
• SloDelete: DELETE /api/v1/slo/slio/<int:slio_id>
• SloRead: GET /api/v1/slo/sli-menu
• SloRead: GET /api/v1/slo/slio/<int:sli_menu_id>
• SloCreate: POST /api/v1/slo/user-journey
• SloRead: GET /api/v1/slo/user-journey
• SloRead: GET /api/v1/slo/user-journey/<int:user_journey_id>
• None: GET /api/v1/slo/slo-burndown/<int:slio_id>
• SloExecute: POST /api/v1/slo/datadog/validate
• SloExecute: POST /api/v1/slo/prometheus/validate
• SloExecute: GET /api/v1/slo/appdynamics/getapplications
• SloExecute: GET /api/v1/slo/appdynamics/getmetrics/<int:application_id>
• SloExecute: POST /api/v1/slo/appdynamics/validate
• None: GET /api/v1/slo/sli-computed-graph/<int:slio_id>
• Slo-manual-minutesCreate: POST /api/v1/slo/manual-minutes
• None: GET /api/v1/identity/health
• IdentityUserCreate: POST /api/v1/identity/user
• IdentityUserUpdate: POST /api/v1/identity/user/id/<int:user_id>
• IdentityRead: GET /api/v1/identity/user
• IdentityUserRead: GET /api/v1/identity/user/id/<int:user_id>
• IdentityRead: GET /api/v1/identity/user/groups/<int:user_id>
• IdentityRead: GET /api/v1/identity/user/roles/<int:user_id>
• IdentityRead: GET /api/v1/identity/user/rules/<int:user_id>
• IdentityUserRead: GET /api/v1/identity/user/authName/<string:auth_name>
• IdentityUserDelete: DELETE /api/v1/identity/user/id/<int:user_id>
• IdentityUserRead: GET /api/v1/identity/user/integration/<string:integration_type>/<string:integration_id>
• IdentityRead: GET /api/v1/identity/user/integrations/<int:user_id>
• IdentityCreate: POST /api/v1/userintegration
• IdentityCreate: POST /api/v1/userintegration/kvs/<string:integration_type>/<string:integration_id>
• IdentityRead: GET /api/v1/identity/userintegration/type/<string:integration_type>/id/<string:integration_id>
• IdentityRead: GET /api/v1/identity/userintegration/type
• IdentityUpdate: DELETE /api/v1/identity/userintegration/<string:integration_type>/<string:integration_id>
• IdentityOrgCreate: POST /api/v1/identity/org
• IdentityOrgRead: GET /api/v1/identity/org
• IdentityOrgRead: GET /api/v1/identity/org/id/<int:org_id>
• IdentityRead: GET /api/v1/identity/org/users/<int:org_id>
• IdentityOrgUpdate: PUT /api/v1/identity/org/id/<int:org_id>
• IdentityOrgUpdate: PUT /api/v1/identity/org/settings/<int:org_id>
• IdentityGroupCreate: POST /api/v1/identity/group
• IdentityGroupUpdate: POST /api/v1/identity/group/id/<int:group_id>
• IdentityGroupDelete: DELETE /api/v1/identity/group/id/<int:group_id>
• IdentityRead: GET /api/v1/identity/group/org/<int:org_id>
• IdentityRead: GET /api/v1/identity/group/id/<int:group_id>
• IdentityRead: GET /api/v1/identity/group/users/<int:group_id>
• IdentityRead: GET /api/v1/identity/group/roles/<int:group_id>
• IdentityGroupUserCreate: POST /api/v1/identity/group/user
• IdentityGroupCreate: POST /api/v1/identity/group/role
• IdentityGroupUpdate: DELETE /api/v1/identity/group/user/<int:group_id>/<int:user_id>
• IdentityGroupUpdate: DELETE /api/v1/identity/group/role/<int:group_id>/<int:role_id>
• IdentityRuleCreate: POST /api/v1/identity/rule
• IdentityRead: GET /api/v1/identity/rule/id/<int:rule_id>
• IdentityRead: GET /api/v1/identity/rule
• IdentityRead: GET /api/v1/identity/rule/roles/<int:rule_id>
• IdentityRoleCreate: POST /api/v1/identity/role
• IdentityRead: GET /api/v1/identity/role/id/<int:role_id>
• IdentityRead: GET /api/v1/identity/role
• IdentityRead: GET /api/v1/identity/role/rules/<int:role_id>
• IdentityRoleUpdate: POST /api/v1/identity/role/rule
• IdentityRead: GET /api/v1/identity/role/users/<int:role_id>
• IdentityRead: GET /api/v1/identity/role/groups/<int:role_id>
• IdentityRoleCreate: POST /api/v1/identity/role/custom
• None: GET /api/v1/slo/error-budget-policies
• None: GET /api/v1/slo/error-budget-policy-threshold
• SloCreate: POST /api/v1/slo/error-budget-policy-threshold-metadata
• SloUpdate: PUT /api/v1/slo/error-budget-policy-threshold
• None: GET /api/v1/incident-types
• None: GET /api/v1/incident-severities
• None: GET /api/v1/identity/rbac/enforce/<string:encoded_params>
• None: GET /api/v1/identity/rbac/params
• AuditlogRead: GET /api/v1/audit-logs
• CommentsRead: GET /api/v1/comments/<string:component_ref>
• CommentsCreate: POST /api/v1/comments
• CommentsUpdate: PUT /api/v1/comments/<int:comment_id>/resolve
• CommentsDelete: DELETE /api/v1/comments/<int:comment_id>
• Comments_infoUpdate: POST /api/v1/comments/<string:component_ref>/register
• SloDelete: DELETE /api/v1/slo/user-journey-steps/<int:user_journey_id>
• SloRead: GET /api/v1/slo/user-journey-steps/<int:user_journey_id>
• SloRead: GET /api/v1/slo/user-journey-steps
• SloCreate: POST /api/v1/slo/user-journey-steps
• SloUpdate: PUT /api/v1/slo/user-journey-steps/<int:user_journey_id>