Resource Sets¶
Overview¶
Resource Sets are named AND-only tag selectors that let you scope an admin role assignment to a subset of resources — instead of granting a role over the entire directory.
A resource set defines a map of key=value tag pairs. Any resource (user, group, or application) whose tags contain all of those pairs is a member of the set.
An empty selector matches every resource of that type.
Example
A resource set named AWS Production with selector {"env": "prod", "cloud": "aws"} will include every user/group/application that has both env=prod and cloud=aws in their tags.
Required permissions¶
| Action | Permission |
|---|---|
| View resource sets | resource_sets.view |
| Create / edit / delete | resource_sets.manage |
The built-in idp:admin role has both permissions. idp:viewer has resource_sets.view.
Managing resource sets¶
UI: Directory → Resource Sets
Create a resource set¶
UI: Click New resource set, enter a name, optional description, and one or more tag filters.
API:
POST /api/v1/resource-sets
Authorization: Bearer <token>
Content-Type: application/json
{
"name": "AWS Production",
"description": "All production resources in AWS",
"selector": {
"env": "prod",
"cloud": "aws"
}
}
Edit a resource set¶
UI: Click ⋯ → Edit on a resource set row.
API:
PUT /api/v1/resource-sets/{id}
Authorization: Bearer <token>
Content-Type: application/json
{
"name": "AWS Production",
"selector": { "env": "prod" }
}
Delete a resource set¶
Warning
Deleting a resource set also removes all scoped role assignments that reference it.
UI: Click ⋯ → Delete on a row, or select multiple rows and use Delete selected.
API:
View included resources¶
Click ⋯ → View included resources to open a modal that shows which users, groups, or applications currently match the selector. Use the tab toggle to switch between resource types.
API:
Valid type values: users, groups, applications.
Response — array of {id, name} objects:
[
{ "id": "550e8400-...", "name": "alice@example.com" },
{ "id": "6ba7b810-...", "name": "bob@example.com" }
]
Tagging resources¶
Tags are key=value string pairs attached to users, groups, or applications. They drive resource set membership.
Set tags on a user¶
PUT /api/v1/users/{id}/tags
Authorization: Bearer <token>
Content-Type: application/json
{ "tags": { "env": "prod", "cloud": "aws" } }
Set tags on a group¶
PUT /api/v1/groups/{id}/tags
Authorization: Bearer <token>
Content-Type: application/json
{ "tags": { "team": "platform" } }
Set tags on an application¶
PUT /api/v1/apps/{id}/tags
Authorization: Bearer <token>
Content-Type: application/json
{ "tags": { "env": "prod" } }
A PUT call replaces the entire tag map. To clear all tags, send { "tags": {} }.
Terraform¶
Resource sets and tags are fully manageable via the JustIAM Terraform provider.
resource "justiam_resource_set" "prod" {
name = "AWS Production"
description = "All production resources in AWS"
selector = {
env = "prod"
cloud = "aws"
}
}
resource "justiam_user" "alice" {
email = "alice@example.com"
first_name = "Alice"
last_name = "Smith"
tags = {
env = "prod"
cloud = "aws"
}
}
resource "justiam_group" "platform" {
name = "Platform Team"
tags = {
team = "platform"
}
}
resource "justiam_application" "api" {
name = "Internal API"
friendly_name = "Internal API"
tags = {
env = "prod"
}
}
Scoped role assignments¶
A scoped role assignment binds an admin role to a group restricted to a specific resource set. This means group members can only exercise the role's permissions against resources that match the selector.
Assign a scoped role to a group¶
UI: Groups → ⋯ → Scoped Role Assignments → select a role and a resource set → Assign.
API:
POST /api/v1/groups/{id}/admin-roles
Authorization: Bearer <token>
Content-Type: application/json
{
"admin_role_id": "<role-uuid>",
"resource_set_id": "<resource-set-uuid>"
}
Omit resource_set_id for an unscoped (global) assignment.