Wiki source code of User Security

Version 1.1 by Pierre Dubois on 2011/10/14 09:21

Show last authors
1 = Security in the REQUEA Platform =
2
3
4 Security is organized around 3 concepts
5 - Security Rights, or access rights, or security profiles
6 - User groups
7 - Users
8
9
10 == Access Rights ==
11
12 Access right is the most elementary user right.
13 It tells if the user has to right to:
14
15 * view a property
16 * change a property
17 * click on an action
18 * view a menu
19
20 Example: ResourceBooking: may reserve resources
21
22 Access rights are defined by the applications. You may add as many rights as you want.
23
24 A good practice is to define rights for main entities (for example a ticket), and create the following rights:
25
26 * Right to view
27 * Right to Edit
28 * Admin Right
29
30 and then you may add rights for specific actions (like the close ticket "Right to close"), and some specific properties (like "Right to see financial information).
31
32
33 === System Rights ===
34
35 3 rights are system rights and have a special behavior:
36
37 * User Authenticated = user logged. This right is automatically granted to a "logged" user (a user that went through a login procedure)
38 * Anonymous = everybody (including no user) - use with care, or your informations may be crawled by a search engine. Unless you design an Internet site or an Extranet with some public information, you should not use this right.
39 * Nobody = nobody, including Super Admin (RequeaDev). Used to hide information.
40
41 == User Groups and Users ==
42
43 Users belongs in groups and groups have access rights (basic rights, see above):
44
45 [[image:img9.png||alt="user groups"]]
46
47
48 Upon login:
49 - The platform looks at the user groups of the user
50 - add security rights of the groups
51 - add specific rights for user (use on test system only)
52
53 The user has therefore a list of basic rights that come from the groups where he belongs.
54
55 When an action link is to be displayed:
56
57 * platform check if there is a specific right on that action, if yes, check that the user has the right
58 * if no specific right on the action, check if there is a specific right at the entity level (default right for the entity)
59
60 When a property is rendered:
61
62 * if property is read/write (because we are on a form), check if there is a WriteAccess defined on the property. If yes, checks that the user has this right
63 * if property is read only, check if there is a ReadAccess defined on the property. If yes, check if the user has this right.
64
65 == Security and Application Development Cycle ==
66
67 Some security aspects are to be designed during the application development cycle.
68 Others will be deployed on the target production system.
69
70 - Basic Rights (Access Rights) belongs to the application development cycle.
71 - Standard Groups also belongs to the app development cycle
72
73 - Specific groups (functional customer groups) are to be created upon deployment
74 - Users will be assigned to groups (as members) upon deployment
75
76
77 = Advanced Security Functions =
78
79
80 - LDAP: user authentication
81 - SSL compliant. Need to install certificate
82 - SSO support. IIS only - Windows only
83 - Exotic auth possible through custom filters (java dev)
84 - Row level security: Record level control (right to see a particular record, right to change a particular record)
This wiki is licensed under a Creative Commons 2.0 license
XWiki Enterprise 9.11.5 - Documentation