Wiki source code of User Security
Last modified by Maurice Gasco on 2015/10/23 17:55
- Manage
Copy- Actions
Export
Print preview
View Source- Viewers
Siblings
Content
Comments- Annotations
Attachments (1)
History
Information
Hide last authors
 |
1.1 | 1 | = Security in the REQUEA Platform = |
| 2 | |||
| 3 | |||
| 4 | Security is organized around 3 concepts | ||
| 5 | - Security Rights, or access rights, or security profiles | ||
| 6 | - User groups | ||
| 7 | - Users | ||
| 8 | |||
| 9 | |||
| 10 | == Access Rights == | ||
| 11 | |||
| 12 | Access right is the most elementary user right. | ||
| 13 | It tells if the user has to right to: | ||
| 14 | |||
| 15 | * view a property | ||
| 16 | * change a property | ||
| 17 | * click on an action | ||
| 18 | * view a menu | ||
| 19 | |||
| 20 | Example: ResourceBooking: may reserve resources | ||
| 21 | |||
| 22 | Access rights are defined by the applications. You may add as many rights as you want. | ||
| 23 | |||
| 24 | A good practice is to define rights for main entities (for example a ticket), and create the following rights: | ||
| 25 | |||
| 26 | * Right to view | ||
| 27 | * Right to Edit | ||
| 28 | * Admin Right | ||
| 29 | |||
| 30 | and then you may add rights for specific actions (like the close ticket "Right to close"), and some specific properties (like "Right to see financial information). | ||
| 31 | |||
| 32 | |||
| 33 | === System Rights === | ||
| 34 | |||
| 35 | 3 rights are system rights and have a special behavior: | ||
| 36 | |||
| 37 | * User Authenticated = user logged. This right is automatically granted to a "logged" user (a user that went through a login procedure) | ||
| 38 | * Anonymous = everybody (including no user) - use with care, or your informations may be crawled by a search engine. Unless you design an Internet site or an Extranet with some public information, you should not use this right. | ||
| 39 | * Nobody = nobody, including Super Admin (RequeaDev). Used to hide information. | ||
| 40 | |||
| 41 | == User Groups and Users == | ||
| 42 | |||
| 43 | Users belongs in groups and groups have access rights (basic rights, see above): | ||
| 44 | |||
| 45 | [[image:img9.png||alt="user groups"]] | ||
| 46 | |||
| 47 | |||
| 48 | Upon login: | ||
| 49 | - The platform looks at the user groups of the user | ||
| 50 | - add security rights of the groups | ||
| 51 | - add specific rights for user (use on test system only) | ||
| 52 | |||
| 53 | The user has therefore a list of basic rights that come from the groups where he belongs. | ||
| 54 | |||
| 55 | When an action link is to be displayed: | ||
| 56 | |||
| 57 | * platform check if there is a specific right on that action, if yes, check that the user has the right | ||
| 58 | * if no specific right on the action, check if there is a specific right at the entity level (default right for the entity) | ||
| 59 | |||
| 60 | When a property is rendered: | ||
| 61 | |||
| 62 | * if property is read/write (because we are on a form), check if there is a WriteAccess defined on the property. If yes, checks that the user has this right | ||
| 63 | * if property is read only, check if there is a ReadAccess defined on the property. If yes, check if the user has this right. | ||
| 64 | |||
| 65 | == Security and Application Development Cycle == | ||
| 66 | |||
| 67 | Some security aspects are to be designed during the application development cycle. | ||
| 68 | Others will be deployed on the target production system. | ||
| 69 | |||
| 70 | - Basic Rights (Access Rights) belongs to the application development cycle. | ||
| 71 | - Standard Groups also belongs to the app development cycle | ||
| 72 | |||
| 73 | - Specific groups (functional customer groups) are to be created upon deployment | ||
| 74 | - Users will be assigned to groups (as members) upon deployment | ||
| 75 | |||
| 76 | |||
| 77 | = Advanced Security Functions = | ||
| 78 | |||
| 79 | |||
| |
2.1 | 80 | - LDAP: user authentication: [[Configure Active Directory or LDAP authentication>>ConfigAD]] |
| 81 | |||
| 82 | |||
| |
1.1 | 83 | - SSL compliant. Need to install certificate |
| |
4.1 | 84 | - SSO support in Microsoft environment using IIS windows authentication or ADFS environment. |
| 85 | |||
| 86 | - SSO support in heterogeneous environment using Auth0 or SAML authentication. | ||
| |
1.1 | 87 | - Exotic auth possible through custom filters (java dev) |
| |
3.1 | 88 | |
| |
1.1 | 89 | - Row level security: Record level control (right to see a particular record, right to change a particular record) |
| |
3.1 | 90 | [[Row level security control>>RowLevelSecurity]] |