# Security templates

The Security templates ensure that only authorized users or apps can upload, download, or list files, with optional limits like time, IP address, or session length.

They are used to generate **SASS Keys**, which are ***temporary*** API access keys with configurable permissions and restrictions. Please refer to our [official API documentation](https://developers.scaleflex.com/#cdc2db95-6e17-4694-b850-12320f0f2f34) for steps on generating a SASS Key.

{% hint style="info" %}
The Security template's Secret Key cannot be used directly in API calls — generate a SASS Key first.
{% endhint %}

The Security Templates are accessible from [Settings > Project > Access (page) > Security template (tab)](https://hub.filerobot.com/settings/project/access/security-templates).

### Create a security template <a href="#create-a-security-template" id="create-a-security-template"></a>

Security Templates can be created with the *+Add Template* button by entering the following information

#### **Description**

Used to identify the security template

#### **Permissions**

Used to define what users can / can't do with the assets. Permissions are selected from the list:

| API Permission             | Description                          |
| -------------------------- | ------------------------------------ |
| `OBJECTS_LIST`             | List assets                          |
| `OBJECTS_FETCH`            | Fetch assets                         |
| `FILE_UPLOAD`              | Upload file                          |
| `FILE_META_CREATE`         | Create file metadata                 |
| `FILE_META_CHANGE`         | Update file metadata                 |
| `FILE_RENAME`              | Rename file                          |
| `FILE_MOVE`                | Move file                            |
| `FILE_DELETE`              | Delete file                          |
| `FILE_SET_VISIBILITY`      | Set file visibility                  |
| `FILE_LABEL_CHANGE`        | Update file labels                   |
| `FILE_IMAGE_EDITOR`        | Edit file                            |
| `DIR_CREATE`               | Create directory                     |
| `DIR_RENAME`               | Rename directory                     |
| `DIR_META_CHANGE`          | Create and update directory metadata |
| `DIR_MOVE`                 | Move directory                       |
| `DIR_DELETE`               | Delete directory                     |
| `DIR_SET_VISIBILITY`       | Set directory visibility             |
| `CONFIG_CHANGE`            | Change container configuration       |
| `CONFIG_LIST`              | List container configuration         |
| `FILE_PRODUCT_CHANGE`      | Change product information           |
| `FILE_PROCESS_AUTOTAGGING` | Perform autotagging                  |
| `COLLECTIONS_LIST`         | List collections                     |
| `COLLECTIONS_MANAGE`       | Manage collections                   |
| `LABELS_LIST`              | View labels                          |
| `LABEL_MANAGE`             | Manage labels                        |
| `OBJECTS_SHARE_MANAGE`     | Manage sharebox                      |
| `OBJECTS_AIRBOX_MANAGE`    | Manage airbox                        |
| `OBJECTS_APPROVAL_MANAGE`  | Manage approval                      |
| `OBJECTS_APPROVAL_VOTE`    | Approve/Reject assets                |
| `ACCESS_READ`              | View accesses                        |
| `ACCESS_MANAGE`            | Manage accesses                      |

#### **Upload limits** <a href="#manage-existing-api-keys" id="manage-existing-api-keys"></a>

These settings set limits on the Upload API.

| Setting                                     | Description                                                                                                                       | Default         |
| ------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | --------------- |
| Limit per min (`limit_per_min`)             | Set the maximum uploads per minute with the key                                                                                   | Unlimited       |
| Limit per source IP (`limit_per_source_ip`) | Maximum number of uploads allowed by IP by the key                                                                                | Unlimited       |
| Directory scope (`dir_scope`)               | Directories where the key is allowed to upload. If you want to allow all subdirectories of a /folder, set the value to /folder/\* | All directories |

\
**Restrict IP limitation**

It restricts API calls based on IP address ranges and/or countries.

<table><thead><tr><th width="264">Setting</th><th>Description</th><th>Default</th></tr></thead><tbody><tr><td>Whitelist IP ranges (<code>whitelist_ip_ranges</code>)</td><td>IP addresses allowed to perform requests using this SecurityTemplate</td><td>No restrictions</td></tr><tr><td>Whitelist countries (<code>whitelist_countries</code>)</td><td>If the IP address is detected to come from these countries, they are allowed to make requests to the system</td><td>All countries are allowed</td></tr></tbody></table>

#### **Key Validity**

This setting allows to set the validity period of the key, for example to match the user's session length in your authenticated application

| Setting               | Description                            | Default             |
| --------------------- | -------------------------------------- | ------------------- |
| `expiration_duration` | time in seconds before the key expires | 1200 s (20 minutes) |

#### **Listing Limits**

Directories where the key is allowed to list elements.&#x20;

| Setting           | Description                                                                                                                                       | Default         |
| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | --------------- |
| `directory_scope` | Directories where the key is allowed to list and search assets. If you want to allow all subdirectories of a /folder, set the value to /folder/\* | All directories |

### Manage existing Security templates <a href="#manage-existing-security-templates" id="manage-existing-security-templates"></a>

Once created, the Security templates can be activated, deactivated, or deleted. Bulk actions are available for managing multiple templates at once.

| User level  | Description                                                                                            |
| ----------- | ------------------------------------------------------------------------------------------------------ |
| Description | To identify the Security template                                                                      |
| Secret key  | The Security Template value. To be kept secret                                                         |
| Created at  | The Security Template creation date                                                                    |
| Scope       | Used to limit the scope. Value "project" by default.                                                   |
| Active      | The Security template status that can be toggled from activated to deactivated using the `...` options |
| Copy        | Copy the secret key in the clipboard for easy reuse                                                    |
Setting	Description	Default
Whitelist IP ranges (`whitelist_ip_ranges`)	IP addresses allowed to perform requests using this SecurityTemplate	No restrictions
Whitelist countries (`whitelist_countries`)	If the IP address is detected to come from these countries, they are allowed to make requests to the system	All countries are allowed