Grant Access to Team Members

In this guide, learn how to grant access to your projects and other resources to your team members.

To grant access to your team members, you’ll need to create a Policy for your Project and add the UUID of the users you want to get access to your resources. You also have to define at what level of privileges they can perform.

In this guide, we will be using the IAM service of Affinidi to define the policies required for our use case.

For our sample use case, we will grant Project access to a user and grant the user privilege to perform the retrieve and update Login Configurations operations. To do this, follow the step-by-step guide below.

Before you begin

Set up Affinidi Vault account. Follow the guide below if you haven’t set it up yet.

Set up Affinidi Vault

Set up an Affinidi Vault account using the web app or install the mobile app .

The same installation steps for mobile app.

Click on Start if you are creating a new account, or click on Restore from Backup if you have an existing backup of your Affinidi Vault.

Use this guide to learn how to migrate your existing Affinidi Vault account.

Secure your Vault by providing a passphrase. Use this passphrase to unlock your Vault.

Provide your Email Address to verify with OTP.

After successfully providing the OTP, you are redirected to your Affinidi Vault dashboard.

Vault Passphrase

Remember to keep your passphrase in a secure location since it cannot be retrieved if forgotten, even with your backup. If you forget it, you must setup a new Vault.

Install the Affinidi CLI. Follow the guide below if it hasn’t been installed.

Set up Affinidi CLI

Download and install NodeJS on your machine if you haven’t set it up yet.

Node Version

Affinidi CLI requires Node version 18 and above.

Install Affinidi CLI using Node Package Manager (npm).

npm install -g @affinidi/cli

Verify that the installation is successful.

affinidi --version

Get the sub of the user you want to grant access to your Project. To get this value, ask the user to login to Affinidi CLI and run the following command:

affinidi whoami

Ask the user to share the sub value from the resul of the command.

Note

If you want to grant access to a Personal Access Token (Machine User), use the Token ID found when creating a Token.

Create a Policy for the User

The first thing we have to do is generate the policy definition for the user we want to grant access to. To do this, run the following command:

affinidi iam add-principal --principal-id="<USER_SUB_ID>" --principal-type=user

Once you add the user as a principal, it creates a default policy with the following default definition:

{
  "version": "2022-12-15",
  "statement": [
    {
      "principal": [
        "<USER_SUB_ID>"
      ],
      "action": [
        ""
      ],
      "resource": [
        ""
      ],
      "effect": "Allow"
    }
  ]
}

Given the above policy, the action and resource property is empty; the user has no access privilege yet to perform any actions on any resources.

Define the Policy for the User

After creating the initial policy with limited privileges, we will have to update this policy to provide certain rights based on our use case.

Retrieve the Initial Policy Definition

To be able to start updating our policy, we will have to retrieve first the current policy definition, to do this, run the following command:

affinidi iam get-policies --principal-id="<USER_SUB_ID>" --principal-type=user > <PATH_TO_POLICY_FILE>

Since we are defining a policy for the user and not a Personal Access Token, we use the flag --principal-type with value of user.

Provide Access to a Project

Now that we have the policy definition, we have to update the policy definition of what Projects we want the user to access. To do this, we set the resource field in the definition.

{
  "version": "2022-12-15",
  "statement": [
    {
      "principal": [
        "<USER_SUB_ID>"
      ],
      "action": [
        ""
      ],
      "resource": [
        "*:<PROJECT_ID>:*"
      ],
      "effect": "Allow"
    }
  ]
}

You can specify the <PROJECT_ID> or set it to * if you want to grant access to your Projects.

You can get the Project IDs using either Affinidi Portal - List Projects or Affinidi CLI command:

affinidi project list-projects

Provide Access to Perform Actions

After setting the Projects you want the user to access, we have to define the actions the user can perform in your Project resources. To do this, please refer to this List of Available Actions that you can use.

We want to provide the user with a read and modify privilege for our use case. To do this, we define the actions field in the definition.

{
  "version": "2022-12-15",
  "statement": [
    {
      "principal": [
        "<PRINCIPAL_ID>"
      ],
      "action": [
        "vpa:listLoginConfigurations",
        "vpa:getLoginConfigurationsById",
        "vpa:updateLoginConfigurationsById"
      ],
      "resource": [
        "*:<PROJECT_ID>:*"
      ],
      "effect": "Allow"
    }
  ]
}

In the above definition, we are setting the actions to call the Login Configuration List, Get, and Update endpoint.

Update the IAM Policy for the User

After defining a new IAM Policy for the user, we will now update the Policy definition. To do this, run the following command:

affinidi iam update-policies --principal-id="<USER_SUB_ID>" --principal-type=user --file="<PATH_TO_POLICY_FILE>"

Once the update is successful, the user has access to your Project and can perform the specified actions to the resource.

Was this page helpful?

Glad to hear it! Please tell us how we can improve more.

Sorry to hear that. Please tell us how we can improve.

Thank you for sharing your feedback so we can improve your experience.