Access Control

Access Control for GS2 API

GS2-Identifier is a mechanism to manage credentials (authentication information) and access privileges to access GS2 services.

Authority management for access to each service is performed for each GS2-Identifier user (hereinafter referred to as “user”).

GS2 assigns a security policy to each user, which defines what GS2 services the user can use.

GS2 uses the credentials to authenticate the accessing user and returns a project token. The game application/management tool uses this project token to access each service.

Detailed permission settings are defined in the security policy, which is assigned to each user.

Users

The following is an overview of the data structure a user has

class User {
  +userId
  +name
  :
}

class Identifier {
  +clientId
  +clientSecret
  :
}

class Password {
  +hashedPassword
  :
}

class AttachedSecurityPolicy {
  +securityPolicyId
  :
}

class SecurityPolicy {
  +policyDocument
  :
}

User "1" *-- "many" Identifier
User "1" --- "1" Password
User "1" *-- "<=10" AttachedSecurityPolicy
AttachedSecurityPolicy "1" -- "1" SecurityPolicy

note "Authentication information (credentials)\nInformation required to access each service's API" as IdentifierNote
Identifier .. IdentifierNote

note "Password Information to log in to \nthe Management Console as a sub-account" as PasswordNote
Password .. PasswordNote

note "User access privileges" as AttachedSecurityPolicyNote
AttachedSecurityPolicy .. AttachedSecurityPolicyNote

note "Permission settings" as SecurityPolicyNote
SecurityPolicy .. SecurityPolicyNote

Security Policy

The following policies have been predefined in the security policy.

Security Policy NameDescription
AdministratorAccessPermission to use all APIs
ApplicationAccessPermission to call only APIs that do not lead to cheating
DeliveryAccessPermission required for GS2-Distributor to perform resource overflow processing
UnauthenticatedAccessAuthority to perform only the processing (including login processing) necessary to perform version checks (GS2-Version).

AdministratorAccess policy is the authority to access all GS2 services.

The ApplicationAccess policy, which is intended to be embedded in a game application, is a policy that allows access to all GS2 services. The ApplicationAccess policy, which is assumed to be used in a game application, is set so that API calls that can manipulate the server leading to cheating are not allowed.

Security Policy Format

Security policies are written in JSON format.

Statements contain the Effect, Actions, and Resources elements. The * (asterisk) represents a wildcard.

The simplest security policy is shown in the example. This security policy says that all operations are allowed on all services and APIs. APIs.

{
  "Version": "2016-04-01",
  "Statements": [
    {
      "Actions": [
        "*"
      ],
      "Effect": "Allow",
      "Resources": [
        "*"
      ]
    }
  ]
}

Actions

The security policy shown in the example allows any operation on the GS2-Inbox service. The user assigned the security policy in this example has no access to any services other than GS2-Inbox.

The * (asterisk) represents a wildcard.

{
  "Version": "2016-04-01",
  "Statements": [
    {
      "Actions": [
        "Gs2Inbox:*"
      ],
      "Effect": "Allow",
      "Resources": [
        "*"
      ]
    }
  ]
}
Enumerating Actions

Actions can enumerate actions, specifications of methods that can or cannot be accessed and executed. Actions can be enumerated. Specify the methods listed in the reference for each service.

Put a : (colon) in between, e.g. [service name]:[method name].

To specify a service name, use Gs2Inbox without the - (hyphen), and the name of each service should be appended to Gs2, as in “Gs2Inbox”.

The method name should be SendMessage with the first letter capitalized (upper camelCase).

{
  "Version": "2016-04-01",
  "Statements": [
    {
      "Actions": [
        "Gs2Inbox:SendMessage",
        "Gs2Inbox:DescribeMessage",
        "Gs2Inbox:ReadMessage",
        "Gs2Inbox:DeleteMessage"
      ],
      "Effect": "Allow",
      "Resources": [
        "*"
      ]
    }
  ]
}

Effect

Specify whether access to the API is allowed or not in this policy.

Resources

This variable specifies the range of resources affected by this policy. Currently, only * (asterisk) can be specified.

Determine security policy

A user can assign up to 10 security policies. After processing with And for actions for which Allow is specified in Effect, the API can be called except for those processed with And for actions for which Deny is specified in Effect.

In other words, if both Allow and Deny are described, Deny takes precedence.