Security in the REQUEA Platform

Security is organized around 3 concepts
- Security Rights, or access rights, or security profiles
- User groups
- Users

Access Rights

Access right is the most elementary user right.
It tells if the user has to right to:

• view a property
• change a property
• click on an action
• view a menu

Example: ResourceBooking: may reserve resources

Access rights are defined by the applications. You may add as many rights as you want. 

A good practice is to define rights for main entities (for example a ticket), and create the following rights:

• Right to view
• Right to Edit
• Admin Right

and then you may add rights for specific actions (like the close ticket "Right to close"), and some specific properties (like "Right to see financial information).

System Rights

3 rights are system rights and have a special behavior:

• User Authenticated = user logged. This right is automatically granted to a "logged" user (a user that went through a login procedure)
• Anonymous = everybody (including no user) - use with care, or your informations may be crawled by a search engine. Unless you design an Internet site or an Extranet with some public information, you should not use this right.
• Nobody = nobody, including Super Admin (RequeaDev). Used to hide information.

User Groups and Users

Users belongs in groups and groups have access rights (basic rights, see above):

Upon login:
- The platform looks at the user groups of the user
- add security rights of the groups
- add specific rights for user (use on test system only)

The user has therefore a list of basic rights that come from the groups where he belongs.

When an action link is to be displayed:

• platform check if there is a specific right on that action, if yes, check that the user has the right
• if no specific right on the action, check if there is a specific right at the entity level (default right for the entity)

When a property is rendered:

• if property is read/write (because we are on a form), check if there is a WriteAccess defined on the property. If yes, checks that the user has this right
• if property is read only, check if there is a ReadAccess defined on the property. If yes, check if the user has this right.

Security and Application Development Cycle

Some security aspects are to be designed during the application development cycle.
Others will be deployed on the target production system.

- Basic Rights (Access Rights) belongs to the application development cycle.
- Standard Groups also belongs to the app development cycle

- Specific groups (functional customer groups) are to be created upon deployment
- Users will be assigned to groups (as members) upon deployment

Advanced Security Functions

- LDAP: user authentication: Configure Active Directory or LDAP authentication

- SSL compliant. Need to install certificate
- SSO support in Microsoft environment using IIS windows authentication or ADFS environment.

- SSO support in heterogeneous environment using Auth0 or SAML authentication.
- Exotic auth possible through custom filters (java dev)

- Row level security: Record level control (right to see a particular record, right to change a particular record)
Row level security control