Documentation

Besides Authentication, TAG also supports Authorization via Account Roles. In fact, both are linked. You cannot have Authorization without Authentication, so to validate roles Authentication takes place as described in the last section, using the [A] flag.

To validate roles, on the Routes screen, you need to use the option Add Permissions. It will expand a Permissions section in the bottom of the page, where multiple roles can be added to validate with the RewriteRule directive.

When permissions are set up for a RewriteRule, first Authentication takes place using the configured Security Profile. and then if the Authentication is successful, an Authorization validation takes places using the configured Roles. If the Authorization succeeds, the route will continue execution as expected. On the other hand, if Authorization fails, the TAG will immediately stop the rule set evaluation and return a response HTTP Status Error Code - 403 - Forbidden.

The Route Authorization validation can check multiple Roles. They will be evaluated in the order in which they are defined in the Permissions section. In the Require setting, it is possible to set up how the validation is performed. You can require ALL and then all Roles associated with the Route must validate successfully to perform the routing behavior. Or, you can require ANY and only one Role of the list must validate successfully to pass Authorization.