RBAC and Policies
QNSP enforces access control via roles and policies.
RBAC and Policies
QNSP enforces access control via roles and policies.
Role model
Roles are collections of permissions assigned to identities.
Built-in roles
owner: Full tenant accessadmin: Administrative operationsdeveloper: Development operationsviewer: Read-only access
Custom roles
Define custom roles with specific permissions:
{
"name": "key-manager",
"permissions": [
"kms:keys:read",
"kms:keys:create",
"kms:keys:rotate"
]
}
Permission format
Permissions follow the pattern:
<service>:<resource>:<action>
Examples:
kms:keys:createvault:secrets:readstorage:objects:write
Policy evaluation
Access control service evaluates:
- Identity roles
- Resource policies
- Tenant-level overrides
All must allow for access to be granted.
Capability tokens
For fine-grained access, capability tokens encode:
- Specific resource
- Allowed actions
- Expiry
- Constraints
Used for delegated access patterns.