Securing MINT Domains: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 8: | Line 8: | ||
=== Implementation ===__NOEDITSECTION__ | === Implementation ===__NOEDITSECTION__ | ||
The definition of row-level access is implemented on the level of '''users'''. | The definition of row-level access is implemented on the level of '''users'''. | ||
Example: | <br />Example: | ||
<pre> | <pre> | ||
<securityDefinition xmlns="http://www.jaspersoft.com/2007/SL/XMLSchema" version="1.0" itemGroupDefaultAccess="granted"> | <securityDefinition xmlns="http://www.jaspersoft.com/2007/SL/XMLSchema" version="1.0" itemGroupDefaultAccess="granted"> | ||
| Line 32: | Line 32: | ||
=== Use case description ===__NOEDITSECTION__ | === Use case description ===__NOEDITSECTION__ | ||
=== Implementation ===__NOEDITSECTION__ | === Implementation ===__NOEDITSECTION__ | ||
Example: | The definition of row-level access is implemented on the level of '''roles'''. | ||
<br />Example: | |||
<pre> | <pre> | ||
<securityDefinition xmlns="http://www.jaspersoft.com/2007/SL/XMLSchema" version="1.0" itemGroupDefaultAccess="granted"> | <securityDefinition xmlns="http://www.jaspersoft.com/2007/SL/XMLSchema" version="1.0" itemGroupDefaultAccess="granted"> | ||
Revision as of 13:07, 23 September 2014
 |
This page is under construction |
MINT allows restricting access to domains to specific roles and users. Concretely, access can be restricted on the row-level and on the column-level. Typical use cases are the following:
- Row-level security: when querying progress report data (activities), the National Mine Action Centre (NMAC) should see all data, but users from each operator should only see data/reports submitted by them.
- Column-level security: when querying victim data, certain groups of users should not be able to view victim names.
Row-level security
Use case description
Implementation
The definition of row-level access is implemented on the level of users.
Example:
<securityDefinition xmlns="http://www.jaspersoft.com/2007/SL/XMLSchema" version="1.0" itemGroupDefaultAccess="granted">
<resourceAccessGrants>
<!-- Row level security -->
<!-- What access do roles/users have to the rows in the resource? -->
<resourceAccessGrantList id="JoinTree_1_List" label="ListLabel" resourceId="JoinTree_1">
<resourceAccessGrants>
<!-- Row level restrictions for Organisations, e.g. Operator X only sees his own progress reports -->
<resourceAccessGrant id="Jointree_1_row_access_grant_20">
<principalExpression><![CDATA[authentication.principal.attributes.any{it.attrName in ['Organisation'] }]]></principalExpression>
<filterExpression>testProfileAttribute(parent_organisation.parent,'Organisation')</filterExpression>
</resourceAccessGrant>
</resourceAccessGrants>
</resourceAccessGrantList>
</resourceAccessGrants>
</securityDefinition>
Example download
Column-level security
Use case description
Implementation
The definition of row-level access is implemented on the level of roles.
Example:
<securityDefinition xmlns="http://www.jaspersoft.com/2007/SL/XMLSchema" version="1.0" itemGroupDefaultAccess="granted">
<!-- Column level security -->
<!-- What access do roles/users have to the fields in an item group? -->
<itemGroupAccessGrants>
<itemGroupAccessGrantList id="grant_item_group_Victims" label="aLabel" itemGroupId="victims" defaultAccess="granted">
<itemGroupAccessGrants>
<!-- Column level for Victims: allow general access to ROLE_NOVICTIMNAMES, then deny access to specific fields -->
<itemGroupAccessGrant id="Victims_item_group_access_grant" access="granted">
<principalExpression>authentication.getPrincipal().getRoles().any{ it.getRoleName() in ['ROLE_NOVICTIMNAMES'] }</principalExpression>
<itemAccessGrantList id="Victims_grant_item_group_items" defaultAccess="granted">
<itemAccessGrants>
<!-- Deny access to the name and surname of victims -->
<itemAccessGrant id="Jointree_1_grant2_items_grant1" itemId="givenname" access="denied" />
<itemAccessGrant id="Jointree_1_grant2_items_grant2" itemId="familyname" access="denied" />
</itemAccessGrants>
</itemAccessGrantList>
</itemGroupAccessGrant>
</itemGroupAccessGrants>
</itemGroupAccessGrantList>
</itemGroupAccessGrants>
</securityDefinition>
Example download
{{#switch:|subgroup|child=|none=|#default=
}}{{#if:Business Intelligence|{{#if:|<th scope="col" style="border-left:2px solid #fdfdfd;width:100%;|}}{{#if:|{{#if:Business Intelligence|}}}}{{#if:Install Staging Area Generator · Using Staging Area Generator · Post Processing SQL Scripts · SAG Spatial reference system · Name Rules Staging Area · Scheduling the Staging Area creation|{{#if:Business Intelligence|}}{{#if:|}}{{#if:Staging Area Generator|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|{{#if:|}}}}{{#if: IMSMA Staging Area Database · Connecting to IMSMA Staging area from ArcGIS · Connecting to IMSMA Staging area from Excel · Sharing an IMSMA Staging Area|{{#if:Business IntelligenceInstall Staging Area Generator · Using Staging Area Generator · Post Processing SQL Scripts · SAG Spatial reference system · Name Rules Staging Area · Scheduling the Staging Area creation|}}{{#if:IMSMA Staging Area|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:|{{#if:Business IntelligenceInstall Staging Area Generator · Using Staging Area Generator · Post Processing SQL Scripts · SAG Spatial reference system · Name Rules Staging Area · Scheduling the Staging Area creation IMSMA Staging Area Database · Connecting to IMSMA Staging area from ArcGIS · Connecting to IMSMA Staging area from Excel · Sharing an IMSMA Staging Area|}}{{#if:|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:Other Reporting Tools|{{#if:Other Reporting Tools|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if: Introduction to indicators|{{#if:Indicators|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:|{{#if:|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:|{{#if:|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:|{{#if:|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:|{{#if:|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:|{{#if:|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:|{{#if:|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:|{{#if:|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:|{{#if:|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:|{{#if:|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:|{{#if:|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:|{{#if:|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:|{{#if:|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:|{{#if:|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:|{{#if:|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:|{{#if:|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:|{{#if:Business IntelligenceInstall Staging Area Generator · Using Staging Area Generator · Post Processing SQL Scripts · SAG Spatial reference system · Name Rules Staging Area · Scheduling the Staging Area creation IMSMA Staging Area Database · Connecting to IMSMA Staging area from ArcGIS · Connecting to IMSMA Staging area from Excel · Sharing an IMSMA Staging Area|}}}}
|none=|#default= | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
}}{{#ifeq:|Template|{{#ifeq:|child||{{#ifeq:|subgroup||{{#switch:securing mint domains
|doc
|sandbox
|testcases =
|#default = {{#switch:hlist
|plainlist
|hlist
|hlist hnum
|hlist vcard
|vcard hlist =
|#default =
}}
}}
}}}}}}