Scoping Resource
Pahami cara resource di-scope di ARSAKA PUGUH.
Model Scoping
PUGUH menggunakan model scoping dua level:
plaintext
Organization
└── Application
├── Webhooks
├── Storage (Files)
├── API Keys
└── MembersTipe Scope
Scope Organization
Resource yang dibagikan ke semua application dalam organization:
- User & Role: Anggota tergabung dalam organization
- Billing & Subscription: Satu paket per organization
- Audit Log: Riwayat event seluruh organization
- Pengaturan: Preferensi dan kebijakan organization
typescript
// List all members in the organization
const members = await client.organizations.listMembers(orgId);
// View organization-wide audit trail
const audit = await client.control.listAudit({ page: 1, limit: 50 });Scope Application
Resource yang terisolasi dalam application tertentu:
- Webhook: Setiap application memiliki endpoint webhook sendiri
- Storage: File terisolasi per application
- API Key: Dibuat per application untuk integrasi
- Anggota: User dapat ditetapkan ke application tertentu
typescript
// Create a webhook scoped to an application
const webhook = await client.webhooks.create({
url: 'https://your-app.com/webhook',
eventTypes: ['user.registered'],
applicationId: 'app-uuid',
});
// List webhooks for a specific application
const webhooks = await client.webhooks.list({ applicationId: 'app-uuid' });Aturan Scoping Resource
| Resource | Scope | Catatan |
|---|---|---|
| User | Organization | Anggota tergabung dalam org, dapat ditetapkan ke app |
| Role | Organization | Owner, Admin, Member, Viewer |
| Application | Organization | Dibuat dalam sebuah organization |
| Webhook | Application | Terisolasi per application |
| Storage | Application | File terisolasi per application |
| API Key | Application | Satu key per application |
| Audit Log | Keduanya | Dapat difilter berdasarkan application |
| Billing | Organization | Satu subscription per organization |
Isolasi Application
Application menyediakan isolasi resource di dalam sebuah organization. Ini berguna untuk memisahkan environment atau tim:
plaintext
Organization: Acme Corp
├── Application: production
│ ├── Webhooks → HTTPS only, strict validation
│ ├── Storage → encrypted, access controls
│ └── API Key → used in production servers
├── Application: staging
│ ├── Webhooks → test endpoints
│ ├── Storage → relaxed limits
│ └── API Key → used in CI/CD
└── Application: development
├── Webhooks → localhost allowed
├── Storage → public access
└── API Key → used locallyPewarisan Scope
User & Permission
- Permission user diwariskan dari role organization mereka
- Admin di organization dapat mengelola semua application
- Penetapan anggota di level application membatasi akses lebih lanjut
- Owner Organization memiliki akses penuh ke semuanya
Webhook
- Webhook selalu di-scope per application
- Event dari satu application tidak memicu webhook di application lain
- Setiap webhook memiliki secret sendiri untuk verifikasi signature
Jejak Audit
- Semua aksi dicatat di level organization
- Entri audit menyertakan
application_idjika berlaku - Filter berdasarkan application untuk melihat event spesifik application
Pola Konfigurasi
Pola 1: Pemisahan Environment
Gunakan application untuk memisahkan environment deployment:
typescript
// Create environment-specific applications
const prod = await client.applications.create({
name: 'Production',
slug: 'production',
});
const staging = await client.applications.create({
name: 'Staging',
slug: 'staging',
});
// Each gets its own webhooks, storage, and API keys
await client.webhooks.create({
url: 'https://prod.example.com/webhook',
applicationId: prod.id,
eventTypes: ['user.registered', 'billing.payment_succeeded'],
});Pola 2: Isolasi Tim
Gunakan application untuk mengisolasi resource antar tim:
typescript
// Marketing team application
const marketing = await client.applications.create({
name: 'Marketing Portal',
slug: 'marketing',
});
// Engineering team application
const engineering = await client.applications.create({
name: 'Engineering Tools',
slug: 'engineering',
});
// Add team members to their respective applications
await client.applications.addMember(marketing.id, { userId: marketerId });
await client.applications.addMember(engineering.id, { userId: engineerId });Pola 3: Multi-Produk
Gunakan application untuk produk berbeda dalam satu organization:
typescript
// One organization, multiple products
const mobileApp = await client.applications.create({
name: 'Mobile App',
slug: 'mobile',
});
const webApp = await client.applications.create({
name: 'Web Dashboard',
slug: 'web',
});
// Each product has its own webhook integrations
await client.webhooks.create({
url: 'https://mobile-api.example.com/events',
applicationId: mobileApp.id,
eventTypes: ['user.registered'],
});Praktik Terbaik
1. Tentukan Batas Scope yang Jelas
Dokumentasikan apa yang termasuk di level organization vs application:
| Tipe Resource | Scope | Alasan |
|---|---|---|
| Anggota tim | Organization | Identitas seluruh perusahaan |
| Webhook | Application | Endpoint spesifik per environment |
| File storage | Application | Terisolasi per environment/produk |
| Billing | Organization | Satu subscription mencakup semua app |
2. Gunakan Nama Application yang Deskriptif
Beri nama application dengan jelas agar tujuannya mudah dipahami:
plaintext
Good: "Production API", "Staging", "Mobile App"
Bad: "App 1", "Test", "New"3. Audit Lintas Scope
Tinjau aktivitas secara berkala di kedua level:
typescript
// Organization-wide audit
const orgAudit = await client.control.listAudit({
actions: ['user.role_changed', 'organization.settings_updated'],
});
// Application-specific audit
const appAudit = await client.control.listAudit({
applicationId: 'app-uuid',
actions: ['webhook.created', 'webhook.deleted'],
});4. Kelola Akses Per Application
Batasi siapa yang dapat mengakses setiap application:
- Hanya tambahkan anggota tim yang relevan ke setiap application
- Application production harus memiliki lebih sedikit anggota
- Application development bisa lebih permisif