Versions Compared

Version Old Version 37 New Version 38
Changes made by

Silvan Grüter

Silvan Grüter

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Data Access Permission are stored as sets of entity permission. Each such permission consists of three things. The entity where access is given to, the security mode and a filter.

Entity Type

An entity is any object within the CoreOne Suite Meta Directory. From a Core Identity to a Target System Configuration, everything is stored in an entity and can therefore be selected. All available entities are presented to you in the UI and they follow the same logic naming as all the UI masks do.

Entity Type Default Rights

Each entity type has default rights attached to it. In the security_entity_type entity, you will find a property called default_security_rights. This property defines the default rights that will be applied to all users.

For example the IResourceAssignment entity has a GenericNoAccessFilter defined, meaning no one has access to it by default. On the other hand the ICoreIdentity entity has a GenericMyCoreIdentityFilter defined, meaning everyone is allowed to read their own Core Identity by default.

Security Mode

The security mode defines wich actions are allowed on the entity where access is given to. The available rights are:

...

If you do not set a filter, the chosen security mode is applied to all entities. If you set one, you can further filter the entities to which the current permission will apply to. To do so, there are a couple of filters available. If you apply them, the data will be filtered according to the filter configuration.

GenericFullAccessFilter

When applied, this filter gives full access to all entities.

...

Code Block
{
  "$type": "iTsense.Moving.Backend.DataHandling.Security.Filter.GenericFullAccessFilter`1[[iTsense.Moving.Backend.Services.DmcoreService.DataInterfaces.Servicedmcore.IAttribute, iTsense.Moving.Backend.Services.DmcoreService]], iTsense.Moving.Backend.DataHandling",
  "ElementType": "iTsense.Moving.Backend.Services.DmcoreService.DataInterfaces.Servicedmcore.IAttribute, iTsense.Moving.Backend.Services.DmcoreService"
}

GenericMyCoreIdentityFilter

When applied, you can filter entities based on their ownership. You can apply this filter to all entities that have a relation to a Core Identity. The filter on that property then only allows the permitted action to be applied when the current Core Identity is the owner of the object.

...

Code Block
{
  "$type": "iTsense.Moving.Backend.DataHandling.Security.Filter.GenericMyCoreIdentityFilter`1[[iTsense.Moving.Backend.Services.DmcoreService.DataInterfaces.Servicedmcore.IRoleAssignment, iTsense.Moving.Backend.Services.DmcoreService]], iTsense.Moving.Backend.DataHandling",
 "NotContains": false,
   "PropertyChain": {
    "$type": "System.String[], mscorlib",
   "$values": [
      "Role",
     "CoreIdentity",
     "Id"
      ]
 }
}

GenericNoAccessFilter

Denies access to all entities.

GenericSubFiltersFilter

Gives access to entities if a subset of filters apply.

...

Code Block
{
  "$type": "iTsense.Moving.Backend.DataHandling.Security.Filter.GenericSubFiltersFilter`2[[iTsense.Moving.Backend.Services.DmcoreService.DataInterfaces.Servicedmcore.IRoleAssignment, iTsense.Moving.Backend.Services.DmcoreService],[iTsense.Moving.Backend.Services.DmcoreService.DataInterfaces.Servicedmcore.IRole, iTsense.Moving.Backend.Services.DmcoreService]], iTsense.Moving.Backend.DataHandling",
  "ReferenceDtoTypePropertyName": "Role",
  "ReferenceDtoTypeSecurityMode": 1
}

GenericPropertyChainFilter

Gives access to the selected entity if the chain of properties configured in the filter match.

...

In some cases the business logic is not executed in the context of the user, but in the context of the system. In those cases the limitation of the UI will lead to a situation where the user actually can save data. So whenever you create a new security role and you would like to limit the edit of specific attributes keep this in mind and test it carefully. However if you configure the Updatable on the attribute itself, everything will work as expected.

Relations

If you give view permission for the Identity Detail page and grant data permissions to all identities, you might still not be able to load the appropriate view. Because the detail page displays more than just the entity, you might need to give access to certain relations. For example an IIdentity has many relations to the ITargetSystem, the IIdentityType, the IProvisioningConfiguration and so on. Depending on the view and the use case, you might need to give access to those relationships.