• Home
  • Integrations
  • SDKs
  • Guides
  • API docs
    No results for ""
    EXPAND ALL

    EDIT ON GITHUB

    Using resources

    Read time: 2 minutes
    Last edited: Jan 27, 2023

    Overview

    This topic explains how to specify different resources to use with custom roles, integrations access, and Relay Proxy access.

    To learn more about how resources are structured within custom role policies, read Custom role concepts.

    Understanding the resource specifier syntax

    LaunchDarkly uses a resource specifier syntax to name resources or collections of resources. This is a precise, flexible taxonomy that lets you identify and control any resource in your LaunchDarkly project.

    The pattern to specify a resource looks like this:

    resource-type/name;tag1,tag2

    The example above shows two tags separated by a comma. Tags are optional. If you don't need to use any tags, you can omit the semicolon (;) and all content following.

    In the example below, we create a resource that names all of the projects in an account:

    proj/*
    Syntax supports wildcards

    The resource syntax accepts globs and wildcards, so you can name collections of resources with *. You can also name a specific project by its ID.

    In the example below, we name a project by the default ID.

    proj/default

    You can name sets of resources down to the tag level.

    In the example below, we name all projects with the mobile tag.

    proj/*;mobile

    Scoping resources

    The term "scoping" refers to identifying resources in relation to other resources and the hierarchy of permissions that connects them.

    Resources can be scoped within parent resources. For example, metrics are scoped within a project, and feature flags are scoped within a project and environment.

    Name scoped resources by using the resource syntax structure depicted below:

    resource-type/name;tag1,tag2:resource-type/name;tag3,tag4,tag5

    In the following example, we name all feature flags across all environments:

    proj/*:env/*:flag/*

    In the example above, proj/*:includes all named projects in the list of results. env/*: includes all environments in the list of results. flag/*: includes all flags in the list of results. This example will return very broad results because of how comprehensive its permissions are.

    Resource types do not share permissions

    User permissions are specific to each resource type, and different types do not share or inherit permissions. For example, if you set user permissions for a project with the ID default using proj/default, the user does not have the same permissions for the project's environments unless you also set user permissions for proj/default:env/*.

    For a more refined example, we could name all feature flags whose keys start with ops_:

    proj/*:env/*:flag/ops_*

    Understanding resource types and scopes

    Here is a reference list of all the supported resources in LaunchDarkly and their scopes, ordered by written expression:

    Resource typeResource scopeWritten expression
    acctacct is a unique resource specifier representing modifications to your account itself.acct
    code-reference-repositorycode-reference-repository is a top-level resource.code-reference-repository/*
    experimentexperiment is a child of both a project and environments.proj/*:env/*:experiment/*
    integrationintegration is a top-level resource.integration/*
    membermember is a top-level resource.member/*
    tokentoken is a child resource of members.member/*:token/*
    projproj is a top-level resource.proj/*
    envenv is a child resource of projects.proj/*:env/*
    destinationdestination is a child of both a project and environments.proj/*:env/*:destination/*
    flagflag is a child of both a project and environments.proj/*:env/*:flag/*
    segmentsegment is a child of both a project and environments.proj/*:env/*:segment/*
    useruser is a child of both a project and environments.proj/*:env/*:user/*
    metricmetric is a child resource of projects.proj/*:metric/*
    relay-proxy-configrelay-proxy-config is a top-level resource.relay-proxy-config/*
    rolerole is a top-level resource.role/*
    service-tokenservice-token is a top-level resource.service-token/*
    teamteam is a top-level resource.team/*
    templatetemplate is a top-level resource.template/*
    webhookwebhook is a top-level resource.webhook/*

    For a list of all actions available to each resource, read Using actions.