BlogWebsiteLinkedin
Security & Governance

Access Control

Visualize permissions, discover APIs, track lineage, and use templates for FlowGenX access management

FlowGenX provides advanced access control tools to visualize permissions, discover APIs, track access lineage, and apply pre-configured templates for common security scenarios.

Overview

Visual Access Management

Comprehensive tools for managing API access permissions with visual matrix, catalog discovery, lineage tracking, and reusable templates.

The access control system includes four main tools:

  1. Access Matrix: Visual permission grid showing consumer-route relationships
  2. API Catalog: Discover and manage API endpoints across your services
  3. API Lineage: Track which groups and consumers access specific routes
  4. Templates: Pre-configured access patterns for common use cases

Access Matrix

The Access Matrix provides a visual grid showing which consumers have access to which API routes, with the ability to grant or revoke access directly.

Features

Interactive Permission Grid

Click on any cell in the matrix to instantly grant or revoke access for a consumer to a specific route.

Capabilities:

  • Visual Overview: See all permissions at a glance
  • Quick Toggle: Click to grant/revoke access
  • Search & Filter: Find specific consumers or routes
  • Protected Routes: Highlight security-critical endpoints
  • CSV Export: Download permission matrix for auditing
  • Real-time Updates: Changes apply immediately

Using the Access Matrix

Step 1: Navigate to Access Matrix

  1. Go to ACL ManagementAccess ControlAccess Matrix
  2. View the permission grid with:
    • Rows: Consumers
    • Columns: API Routes
    • Cells: Green checkmark (has access) or red X (no access)

Step 2: Search and Filter

FilterDescription
Search BarFilter by consumer username or route path
Protected Routes OnlyShow only security-critical routes
EnvironmentFilter by deployment environment

Step 3: Grant/Revoke Access

  1. Locate the consumer (row) and route (column)
  2. Click the cell intersection
  3. Access is toggled instantly:
    • ✓ Green: Access granted
    • ✗ Red: Access revoked
  4. Changes sync to Kong API Gateway immediately

Matrix Statistics

The dashboard displays:

MetricDescription
Total ConsumersNumber of API consumers
Total RoutesNumber of API routes
Protected RoutesRoutes marked as security-critical
Access GrantsTotal active permissions

Viewing Details

Consumer Details:

  • Click consumer name to view profile
  • See all routes the consumer can access
  • Review group memberships

Route Details:

  • Click route name to view details
  • See all consumers with access
  • Check HTTP methods allowed
  • Review protection status

Exporting Data

CSV Export:

  1. Click Export button
  2. Matrix downloads as CSV file
  3. Format: 
    Consumer, Route1, Route2, Route3...
user-1,   Yes,    No,     Yes
user-2,   No,     Yes,    Yes

Use cases:

  • Compliance audits
  • Permission reviews
  • Documentation
  • Offline analysis

Best Practices

✓ Review the matrix regularly for over-permissioned consumers ✓ Use protected route filter to audit critical endpoints ✓ Export matrix monthly for compliance records ✓ Search by consumer to review individual access ✓ Revoke unnecessary permissions immediately ✓ Document permission changes in audit logs

API Catalog

The API Catalog provides a comprehensive view of all API endpoints across your services, making it easy to discover, browse, and manage routes.

Features

API Discovery & Management

Browse all API endpoints, view details, and add routes to ACL groups for access control.

Capabilities:

  • API Discovery: Browse all services and endpoints
  • Hierarchical View: Organize by API or view all endpoints
  • Endpoint Details: View path, method, description
  • Bulk Selection: Select multiple endpoints at once
  • Add to Groups: Grant access by adding routes to groups
  • Group Associations: See which groups already have access
  • Method Filtering: Filter by HTTP method (GET, POST, etc.)
  • Search: Find endpoints by path or name

View Modes

The catalog supports three view modes:

ModeDescriptionBest For
By APIGroup endpoints under their parent APIOrganized browsing
By EndpointFlat list of all endpointsQuick searching
FlatSimple list viewBulk operations

Browsing the Catalog

Step 1: Navigate to API Catalog

  1. Go to ACL ManagementAccess ControlAPI Catalog
  2. View all APIs and their endpoints

Step 2: Filter and Search

Use filters to narrow down results:

  • Search: Enter endpoint path or API name
  • View Mode: Switch between By API, By Endpoint, or Flat
  • HTTP Method: Filter by GET, POST, PUT, DELETE, PATCH
  • Status: Active or inactive APIs
  • Environment: Filter by deployment environment

Step 3: Browse Endpoints

In By API view:

  1. Click API name to expand
  2. View all endpoints under that API
  3. See HTTP method, path, and description
  4. Check which groups have access (badge indicators)

Adding Routes to Groups

Bulk Permission Assignment

Select multiple endpoints and add them all to a group at once for efficient permission management.

Step 1: Select Endpoints

  • Individual Selection: Check boxes next to specific endpoints
  • API Selection: Check API box to select all endpoints (with wildcard)
  • Wildcard Suffix: Choose ** (all sub-paths) or * (exact match)

Step 2: Add to Group

  1. Click Add Selected to Group button
  2. Modal opens showing:
    • Selected endpoints count
    • List of selected routes
  3. Choose target group from dropdown
  4. Filter groups by environment if needed
  5. Click Add to Group

Step 3: Confirm

  • Selected routes are added to group's allowed routes
  • All consumers in that group gain access
  • Changes sync to gateway immediately

Endpoint Details

Click any endpoint to view details:

Endpoint Information:

  • Full path with wildcards
  • HTTP methods supported
  • API parent
  • Description
  • Status (active/inactive)

Access Information:

  • Groups with access (badges)
  • Total consumers with access
  • Protection level

Actions:

  • Copy path to clipboard
  • Add to group
  • View in API documentation

Catalog Statistics

Dashboard displays:

MetricDescription
Total APIsNumber of API services
Total EndpointsNumber of endpoints across all APIs
Active APIsCurrently active services
Methods DistributionBreakdown by HTTP method (GET, POST, etc.)

Best Practices

✓ Use By API view for organized browsing ✓ Use search for finding specific endpoints ✓ Select entire APIs with wildcards for broad access ✓ Select individual endpoints for fine-grained control ✓ Review group associations before adding routes ✓ Document endpoint purposes in descriptions ✓ Keep API metadata up to date

API Lineage & Access Tracking

API Lineage visualizes which groups and consumers have access to specific routes, providing complete traceability of permissions.

Features

Permission Traceability

Track the complete chain from route to group to consumer, understanding exactly who has access and why.

Capabilities:

  • Route-Centric View: Start with a route and see all access
  • Group Associations: Which groups grant access
  • Consumer List: All consumers via those groups
  • Access Type: Allowed or denied routes
  • Expandable Cards: Drill down into details
  • Revoke Access: Remove consumers from groups
  • Environment Filtering: Isolate by deployment stage

Understanding Lineage

The lineage chain works as follows:

Route → Groups with Access → Consumers in Those Groups

Example:

/api/users (GET)
  ├─ Group: api-readers
  │   ├─ Consumer: mobile-app
  │   └─ Consumer: web-frontend
  └─ Group: admin-access
      └─ Consumer: admin-dashboard

Using API Lineage

Step 1: Navigate to API Lineage

  1. Go to ACL ManagementAccess ControlAPI Lineage
  2. View list of all routes with access controls

Step 2: Filter Routes

FilterDescription
SearchFind routes by path
HTTP MethodFilter by GET, POST, PUT, DELETE, PATCH
Access TypeAllowed routes, Denied routes, or All
EnvironmentFilter by deployment environment

Step 3: Expand Route Details

  1. Click on any route card to expand
  2. View sections:
    • Route Information: Path, method, access type
    • Groups with Access: All groups that grant this route
    • Consumers: All consumers via those groups

Route Card Structure

Each route card shows:

Header:

  • HTTP method badge (GET, POST, etc.)
  • Route path
  • Access type (Allowed/Denied)
  • Group count

Expanded View:

Groups Section:

  • Group names
  • Group display names
  • Number of consumers per group
  • Click to view group details

Consumers Section:

  • Consumer username
  • Consumer display name
  • Department (if set)
  • Email (if set)
  • Which group grants access
  • Actions:
    • View consumer details
    • Revoke access from group

Revoking Access

To remove a consumer's access to a route:

  1. Expand the route card
  2. Find the consumer in the list
  3. Click Revoke next to their group assignment
  4. Confirm the action
  5. Consumer is removed from that group
  6. They lose access to all routes granted by that group

Group Removal Impact

Removing a consumer from a group removes access to ALL routes granted by that group, not just the current route.

Use Cases

Security Audits:

  • Review who has access to sensitive routes
  • Identify over-permissioned consumers
  • Track access to compliance-critical endpoints

Troubleshooting:

  • Understand why a consumer has access
  • Find which group grants specific permissions
  • Trace access inheritance chains

Documentation:

  • Document permission structures
  • Generate access reports
  • Explain access policies to stakeholders

Best Practices

✓ Review lineage for sensitive routes regularly ✓ Use search to quickly find specific routes ✓ Filter by access type to focus on allowed or denied ✓ Document group purposes in descriptions ✓ Revoke access through lineage for clear traceability ✓ Export lineage data for compliance documentation

Access Templates

Templates provide pre-configured access patterns for common use cases, making it easy to apply consistent permissions across groups.

Features

Reusable Access Patterns

Create, manage, and apply pre-configured permission sets for security, compliance, and operational scenarios.

Capabilities:

  • Pre-configured Templates: Built-in templates for common scenarios
  • Custom Templates: Create your own templates
  • Template Categories: Security, Compliance, Operational, Custom
  • Apply to Groups: Quickly configure groups using templates
  • Clone Templates: Duplicate and modify existing templates
  • Export/Import: Share templates across environments
  • Version Control: Track template changes

Template Categories

CategoryDescriptionExamples
SecurityHigh-security access patternsRead-only access, admin-only routes
ComplianceRegulatory requirement templatesGDPR-compliant, HIPAA-secure, PCI-restricted
OperationalCommon operational patternsMonitoring access, deployment permissions
CustomUser-created templatesTeam-specific, project-specific

Creating a Template

Step 1: Open Create Modal

  1. Go to ACL ManagementAccess ControlTemplates
  2. Click Create Template
  3. Template creation modal opens

Step 2: Configure Template

FieldDescriptionRequired
NameLowercase alphanumeric identifierYes
Display NameHuman-readable nameYes
DescriptionTemplate purpose and usageNo
CategorySecurity, Compliance, Operational, CustomYes
GroupsPre-configured group settingsNo

Step 3: Define Permissions

Configure the access pattern:

Route Permissions:

  • Add allowed routes with wildcards
  • Add denied routes
  • Specify HTTP methods per route

Service Permissions:

  • Add allowed services
  • Add denied services

Restrictions:

  • IP restrictions (optional)
  • Time restrictions (optional)

Step 4: Save Template

  1. Review configuration
  2. Click Create Template
  3. Template is saved and ready to use

Using Templates

Apply Template to Group:

  1. Select a template from the list
  2. Click Apply button
  3. Choose target group from dropdown
  4. Click Apply Template
  5. Group configuration is updated with template settings

Preview Template:

  1. Click Preview on any template
  2. Modal shows:
    • Template details
    • Configured routes
    • Configured services
    • Restrictions (if any)
  3. Review before applying

Managing Templates

Clone Template:

  1. Click Clone on existing template
  2. Enter new template name
  3. Template is duplicated
  4. Edit the clone as needed

Export Template:

  1. Click Export on template
  2. JSON file downloads
  3. Share with team or save for backup

Import Template:

  1. Click Import button
  2. Select JSON file
  3. Template is created
  4. Review and apply as needed

Delete Template:

  1. Click Delete on template
  2. Confirm deletion
  3. Template is removed (cannot be undone)

Built-in Templates

FlowGenX includes several pre-configured templates:

Read-Only Access:

  • Only GET requests allowed
  • No POST, PUT, DELETE, PATCH
  • Safe for external partners

Admin Full Access:

  • All HTTP methods
  • All routes
  • No restrictions
  • For administrative users

Monitoring Access:

  • Read-only on monitoring endpoints
  • /health, /metrics, /status
  • For monitoring tools

API Consumer:

  • Standard API access
  • Common CRUD operations
  • Rate limited

Template Statistics

View template usage metrics:

MetricDescription
Total TemplatesNumber of available templates
Active TemplatesCurrently in use
By CategoryBreakdown by security, compliance, operational
Most UsedTemplate with highest usage count

Best Practices

✓ Create templates for repeated access patterns ✓ Use descriptive names and descriptions ✓ Document template purposes clearly ✓ Test templates in development before production ✓ Version control template changes ✓ Export templates for backup ✓ Review template usage periodically ✓ Delete unused templates to reduce clutter

Common Workflows

Onboarding a New Consumer

  1. Create Consumer in Tenant Management
  2. Check API Catalog to find required endpoints
  3. Apply Template (if standard pattern exists)
  4. OR Add Routes from catalog to group
  5. Verify Access in Access Matrix
  6. Review Lineage to confirm permissions

Reviewing Security for a Route

  1. Search Route in API Lineage
  2. Expand Card to see all access
  3. Review Groups with access
  4. Check Consumers via those groups
  5. Revoke Access if over-permissioned
  6. Export Matrix for documentation

Setting Up Team Access

  1. Create Group for team in Tenant Management
  2. Browse API Catalog for required endpoints
  3. Select Endpoints team needs
  4. Add to Group in bulk
  5. Add Consumers to group
  6. Verify Matrix shows correct access

Compliance Audit

  1. Export Access Matrix as CSV
  2. Review API Lineage for sensitive routes
  3. Check Templates used for compliance
  4. Generate Reports from Compliance section
  5. Document Findings from lineage tracking

Troubleshooting

Matrix Not Loading

Issue: Access matrix fails to load or shows errors

Solutions:

  1. Check backend service health
  2. Verify tenant ID is correct
  3. Refresh the page
  4. Check browser console for errors
  5. Ensure you have permissions to view matrix

Cannot Toggle Access

Issue: Clicking matrix cells doesn't grant/revoke access

Solutions:

  1. Verify you have admin permissions
  2. Check if consumer/route is active
  3. Ensure Kong gateway is synced
  4. Check for group-level denials
  5. Review browser network tab for API errors

Lineage Not Showing Consumers

Issue: Route card shows groups but no consumers

Solutions:

  1. Expand the groups section fully
  2. Check if consumers are assigned to those groups
  3. Verify environment filter matches
  4. Refresh the lineage view
  5. Check if consumers are active

Template Apply Failed

Issue: Cannot apply template to group

Solutions:

  1. Verify template is active
  2. Check group exists and is active
  3. Ensure no conflicting permissions
  4. Review template configuration
  5. Check backend logs for errors

Catalog Endpoints Missing

Issue: API Catalog doesn't show all endpoints

Solutions:

  1. Refresh catalog data
  2. Check environment filter
  3. Verify APIs are properly registered
  4. Ensure endpoints are marked as active
  5. Check API metadata is complete

Authentication

Manage API Keys and OAuth clients for secure API authentication in FlowGenX

Tenant Management

Organize users into groups and consumers with fine-grained access controls

On this page

OverviewAccess MatrixFeaturesUsing the Access MatrixMatrix StatisticsViewing DetailsExporting DataBest PracticesAPI CatalogFeaturesView ModesBrowsing the CatalogAdding Routes to GroupsEndpoint DetailsCatalog StatisticsBest PracticesAPI Lineage & Access TrackingFeaturesUnderstanding LineageUsing API LineageRoute Card StructureRevoking AccessUse CasesBest PracticesAccess TemplatesFeaturesTemplate CategoriesCreating a TemplateUsing TemplatesManaging TemplatesBuilt-in TemplatesTemplate StatisticsBest PracticesCommon WorkflowsOnboarding a New ConsumerReviewing Security for a RouteSetting Up Team AccessCompliance AuditTroubleshootingMatrix Not LoadingCannot Toggle AccessLineage Not Showing ConsumersTemplate Apply FailedCatalog Endpoints Missing

Ask AI

FlowGenX Documentation

How can I help you?

Ask me anything about FlowGenX AI - workflows, agents, integrations, and more.

AI responses based on FlowGenX docs