The Metacloud Identity service manages authentication and authorization. A trust is a Metacloud Identity extension that enables delegation and impersonation using
A trust extension defines a relationship between:
Trustor—The user delegating a limited set of their own rights to another user.
Trustee—The user trust is being delegated to, for a limited time.
The trust can enable the trustee to impersonate the trustor. To ensure security, if a trustor loses a given role, any trusts the user issued with that role, and the related tokens, are automatically revoked.
The delegation parameters are:
- User ID—The user IDs for the trustor and trustee.
- Privileges—The delegated privileges are a combination of a tenant ID and a number of roles that must be a subset of the roles assigned to the trustor. If you omit all privileges, nothing is delegated. You cannot delegate everything.
Delegation depth—Defines whether or not the delegation is recursive. If it is recursive, it defines the delegation chain length.
Specify one of the following values:
0—The delegate cannot delegate these permissions further.
1—The delegate can delegate the permissions to any set of delegates but the latter cannot delegate further.
inf—The delegation is infinitely recursive.
- Endpoints—A list of endpoints associated with the delegation. This parameter further restricts the delegation to the specified endpoints only. You must include endpoints or the delegation cannot be used. A value of
all_endpointsallows the trust to be used by all endpoints associated with the delegated tenant.
- Duration—(Optional) The start time and end time for the trust.