Limited Mode (Web)

Limited Mode allows non-admin users to access a strictly scoped subset of OCI Policy Analysis web data.

This page is user/admin-facing guidance (what it enables and how to use it). For architecture and implementation context, see:

  • docs/source/context/project/CONTEXT_limited_mode.md

What Limited Mode Enables

Limited Mode provides:

  • Scoped web access for non-admin users.

  • Compartment-root-based visibility (root + descendants).

  • Optional identity-domain allow-list scoping for IAM entity detail views.

  • Server-enforced restrictions so API payload tampering cannot expand access.

It is designed for read-oriented scoped analysis, not full admin operations.

Roles

Admin

  • Authenticates with runtime admin key.

  • Can load/cache data and manage limited profiles.

  • Can access full/admin web surfaces.

Limited

  • Authenticates with an activated limited runtime key tied to a profile.

  • Can access only scoped analysis surfaces.

  • Cannot use admin/load/cache surfaces.

  • Can use simulation only when the limited profile uses policy_scope_mode=include_relevant_ancestors.

Scope Model

Limited access is defined by the active limited profile:

  • compartment_root_paths (one or more scoped roots)

  • policy_scope_mode:

    • strict_descendants

    • include_relevant_ancestors

  • allowed_identity_domains (IAM detail allow-list)

If allowed_identity_domains is empty:

  • users/groups/dynamic-groups endpoints return empty results.

Authentication and Session Behavior

On successful limited login, session state includes:

  • auth_mode = "limited"

  • limited_key_hash

  • limited_scope (profile + scope metadata)

Limited keys are runtime-scoped:

  • Admin activates/deactivates keys at runtime.

  • Keys are not persisted as active across application restart.

  • Limited key login is tenancy-bound (key/profile tenancy mismatch is rejected).

What Limited Users Can Access

Limited users are routed to a simplified limited home experience and can use:

  • Policy Analysis

  • Users / Groups

  • Dynamic Groups

  • Resource Principals

  • Policy Simulation (Scoped), only when policy_scope_mode=include_relevant_ancestors

What Limited Users Cannot Access

Blocked for limited sessions:

  • Admin utility and admin-only pages

  • Data load/cache/index/admin route surfaces

  • Simulation surfaces when profile mode is strict_descendants

Prospective statements are read-only for limited sessions:

  • Limited users can view scoped prospective statements.

  • Limited users cannot create/edit/replace/validate prospective statements.

  • Prospective builder endpoints remain admin-only.

Backend Enforcement (Important)

Scope enforcement is done on the server, not just in navigation/UI.

  • Policy routes enforce compartment scoping.

  • IAM entity routes enforce domain allow-list filtering.

  • Simulation routes are additionally guarded by _require_simulation_access (include_relevant_ancestors required).

  • Prospective read route (GET /prospective/statements) is scope-filtered for limited users.

  • Prospective mutation routes remain admin-only.

  • Out-of-scope broadening in crafted payloads is ignored/blocked.

Admin Usage: Managing Limited Profiles

Admins manage limited profiles in the limited-management/admin utility surface.

Typical tasks:

  1. Create/edit profile scope (label, compartment root, domains, mode).

  2. Activate/generate runtime limited key.

  3. Share key with limited user securely.

  4. Deactivate key when no longer needed.

Verification and Testing Notes

Route and behavior tests are implemented for limited-mode route handling, including tenancy mismatch, blocked-route behavior, and empty-domain filtering.

Primary test file:

  • src/test/test_web_limited_mode_routes.py