Creating policies

🚧

Required setup

Note that after creating policies, you must Configure the Agent and Install and configure your SDK for them to actually work.

Frontegg's Entitlements are based on user access to features or permissions to perform actions. The building blocks of the mechanism are policies, which you devise and the Entitlement Agent takes into consideration every time it needs to make a decision.

Policies are therefore rules that determine who is allowed to access specific resources and under what conditions. They help ensure that only authorized users can perform certain actions on a system or network.

Let's dive into creating your first policy to control API access.

Creating routes manually

To create your first protected route, head over to [Environment]-> Entitlements-> API access control. Press the Create new API button to manually create routes or Import your APIs.

Creating your first route and related policies

The create new API button allows you to create your first API route manually and ensure the policies you set are enacted for every API request users perform on that specific route.

Route parameters and format

For every route you create, you will need to fill in the following parameters:

1. Method (Required): Here, you must specify the HTTP method for the specific route. You can choose between multiple methods— ANY, GET, POST, PUT, DELETE.
2. Path (Required): This is where you specify the path for the route. It should always start with a forward slash (/).
   • You can specify a catch-all route that intercepts all requests to the path by ending a path with an asterisk. For example, /users/*.
   • You can include path parameters in the route by using curly braces, e.g., /users/{id}.
3. Description (Optional): This field allows you to provide a brief description of the route for reference.
4. Access Control (Required): This parameter determines the different restrictions you can set for your route. You can choose from the following options:
   • Allow to all: This option makes the route accessible to all users.
   • Block all: This option restricts access to the route for all users.
   • Allow access with entitlements: This option allows only users entitled to specific permissions or features to access the route.

Routes and rules order

Since routes and rules are created deterministically, their position in the tree affects their importance and how the system implements their logic.

🚧

Example

As the route becomes more specific, it will be the one that complies with the request.
For example, you can make the following policies:
GET /users/config -> BLOCK
ANY /users/* -> OPEN

But if the Engine receives aGET /users/config request, its result will correlate with the first policy, since it is more granular than the second one.

Allowing access control with Entitlements

While the Allow All and Block All options are straightforward and basically eliminate or grant access broadly (either to all or none), Entitlement-based access control opens a world of customizability. You can create access that is as broad or as granular as you wish your users to have based on multiple parameters. Note that:

• You can attach permissions and features to the API policy.
• A user must be granted all features and permissions specified in the policy to have access to the specific route.

Settings tab

To enable the policies for your endpoints, you must go to your Settings tab and enable the Enforce API Security toggle. If turned off, the policies will not apply and will default to access all for all of your endpoints. You will receive an SDK log informing you what would have been the result had the toggle been enabled.

Troubleshooting and common errors

You may encounter one of the following error messages. Here's how to solve them.