Wiki source code of User Security
Show last authors
1 | = Security in the REQUEA Platform = |
2 | |
3 | |
4 | Security is organized around 3 concepts |
5 | - Security Rights, or access rights, or security profiles |
6 | - User groups |
7 | - Users |
8 | |
9 | |
10 | == Access Rights == |
11 | |
12 | Access right is the most elementary user right. |
13 | It tells if the user has to right to: |
14 | |
15 | * view a property |
16 | * change a property |
17 | * click on an action |
18 | * view a menu |
19 | |
20 | Example: ResourceBooking: may reserve resources |
21 | |
22 | Access rights are defined by the applications. You may add as many rights as you want. |
23 | |
24 | A good practice is to define rights for main entities (for example a ticket), and create the following rights: |
25 | |
26 | * Right to view |
27 | * Right to Edit |
28 | * Admin Right |
29 | |
30 | and then you may add rights for specific actions (like the close ticket "Right to close"), and some specific properties (like "Right to see financial information). |
31 | |
32 | |
33 | === System Rights === |
34 | |
35 | 3 rights are system rights and have a special behavior: |
36 | |
37 | * User Authenticated = user logged. This right is automatically granted to a "logged" user (a user that went through a login procedure) |
38 | * Anonymous = everybody (including no user) - use with care, or your informations may be crawled by a search engine. Unless you design an Internet site or an Extranet with some public information, you should not use this right. |
39 | * Nobody = nobody, including Super Admin (RequeaDev). Used to hide information. |
40 | |
41 | == User Groups and Users == |
42 | |
43 | Users belongs in groups and groups have access rights (basic rights, see above): |
44 | |
45 | [[image:img9.png||alt="user groups"]] |
46 | |
47 | |
48 | Upon login: |
49 | - The platform looks at the user groups of the user |
50 | - add security rights of the groups |
51 | - add specific rights for user (use on test system only) |
52 | |
53 | The user has therefore a list of basic rights that come from the groups where he belongs. |
54 | |
55 | When an action link is to be displayed: |
56 | |
57 | * platform check if there is a specific right on that action, if yes, check that the user has the right |
58 | * if no specific right on the action, check if there is a specific right at the entity level (default right for the entity) |
59 | |
60 | When a property is rendered: |
61 | |
62 | * if property is read/write (because we are on a form), check if there is a WriteAccess defined on the property. If yes, checks that the user has this right |
63 | * if property is read only, check if there is a ReadAccess defined on the property. If yes, check if the user has this right. |
64 | |
65 | == Security and Application Development Cycle == |
66 | |
67 | Some security aspects are to be designed during the application development cycle. |
68 | Others will be deployed on the target production system. |
69 | |
70 | - Basic Rights (Access Rights) belongs to the application development cycle. |
71 | - Standard Groups also belongs to the app development cycle |
72 | |
73 | - Specific groups (functional customer groups) are to be created upon deployment |
74 | - Users will be assigned to groups (as members) upon deployment |
75 | |
76 | |
77 | = Advanced Security Functions = |
78 | |
79 | |
80 | - LDAP: user authentication |
81 | - SSL compliant. Need to install certificate |
82 | - SSO support. IIS only - Windows only |
83 | - Exotic auth possible through custom filters (java dev) |
84 | - Row level security: Record level control (right to see a particular record, right to change a particular record) |