Wiki source code of User Security
Last modified by Maurice Gasco on 2015/10/23 17:55
Show last authors
| 1 | = Security in the REQUEA Platform = |
| 2 | |
| 3 | |
| 4 | Security is organized around 3 concepts |
| 5 | - Security Rights, or access rights, or security profiles |
| 6 | - User groups |
| 7 | - Users |
| 8 | |
| 9 | |
| 10 | == Access Rights == |
| 11 | |
| 12 | Access right is the most elementary user right. |
| 13 | It tells if the user has to right to: |
| 14 | |
| 15 | * view a property |
| 16 | * change a property |
| 17 | * click on an action |
| 18 | * view a menu |
| 19 | |
| 20 | Example: ResourceBooking: may reserve resources |
| 21 | |
| 22 | Access rights are defined by the applications. You may add as many rights as you want. |
| 23 | |
| 24 | A good practice is to define rights for main entities (for example a ticket), and create the following rights: |
| 25 | |
| 26 | * Right to view |
| 27 | * Right to Edit |
| 28 | * Admin Right |
| 29 | |
| 30 | and then you may add rights for specific actions (like the close ticket "Right to close"), and some specific properties (like "Right to see financial information). |
| 31 | |
| 32 | |
| 33 | === System Rights === |
| 34 | |
| 35 | 3 rights are system rights and have a special behavior: |
| 36 | |
| 37 | * User Authenticated = user logged. This right is automatically granted to a "logged" user (a user that went through a login procedure) |
| 38 | * Anonymous = everybody (including no user) - use with care, or your informations may be crawled by a search engine. Unless you design an Internet site or an Extranet with some public information, you should not use this right. |
| 39 | * Nobody = nobody, including Super Admin (RequeaDev). Used to hide information. |
| 40 | |
| 41 | == User Groups and Users == |
| 42 | |
| 43 | Users belongs in groups and groups have access rights (basic rights, see above): |
| 44 | |
| 45 | [[image:img9.png||alt="user groups"]] |
| 46 | |
| 47 | |
| 48 | Upon login: |
| 49 | - The platform looks at the user groups of the user |
| 50 | - add security rights of the groups |
| 51 | - add specific rights for user (use on test system only) |
| 52 | |
| 53 | The user has therefore a list of basic rights that come from the groups where he belongs. |
| 54 | |
| 55 | When an action link is to be displayed: |
| 56 | |
| 57 | * platform check if there is a specific right on that action, if yes, check that the user has the right |
| 58 | * if no specific right on the action, check if there is a specific right at the entity level (default right for the entity) |
| 59 | |
| 60 | When a property is rendered: |
| 61 | |
| 62 | * if property is read/write (because we are on a form), check if there is a WriteAccess defined on the property. If yes, checks that the user has this right |
| 63 | * if property is read only, check if there is a ReadAccess defined on the property. If yes, check if the user has this right. |
| 64 | |
| 65 | == Security and Application Development Cycle == |
| 66 | |
| 67 | Some security aspects are to be designed during the application development cycle. |
| 68 | Others will be deployed on the target production system. |
| 69 | |
| 70 | - Basic Rights (Access Rights) belongs to the application development cycle. |
| 71 | - Standard Groups also belongs to the app development cycle |
| 72 | |
| 73 | - Specific groups (functional customer groups) are to be created upon deployment |
| 74 | - Users will be assigned to groups (as members) upon deployment |
| 75 | |
| 76 | |
| 77 | = Advanced Security Functions = |
| 78 | |
| 79 | |
| 80 | - LDAP: user authentication: [[Configure Active Directory or LDAP authentication>>ConfigAD]] |
| 81 | |
| 82 | |
| 83 | - SSL compliant. Need to install certificate |
| 84 | - SSO support in Microsoft environment using IIS windows authentication or ADFS environment. |
| 85 | |
| 86 | - SSO support in heterogeneous environment using Auth0 or SAML authentication. |
| 87 | - Exotic auth possible through custom filters (java dev) |
| 88 | |
| 89 | - Row level security: Record level control (right to see a particular record, right to change a particular record) |
| 90 | [[Row level security control>>RowLevelSecurity]] |