Securing MINT Domains: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 6: | Line 6: | ||
== Row-level security ==__NOEDITSECTION__ | == Row-level security ==__NOEDITSECTION__ | ||
=== Use case description ===__NOEDITSECTION__ | === Use case description ===__NOEDITSECTION__ | ||
Let's assume the following: | |||
* A simple domain on the activity (hazard reduction) object in the staging area has been implemented in MINT. An activity, such as a progress report, usually includes information on the organisation that has carried out the activity. An organisation can be a sub-organisation, so it is important to get the name of the parent organisation via a SQL query. Let's assume the derived table containing the parent organisation name is called ''parent_organisation'' and the attribute containing the name of the parent organisation is called ''parent''. Therefore, the full qualifier for this attribute is <pre>parent_organisation.parent</pre>. | |||
* The NMAC staff should be able to access all the data in the domain, i.e. all the activities carried out by all organisations. | |||
* There are two operators who are given access to MINT in general and this domain in particular: ''Operator1'' and ''Operator2''. However, there is the restriction that Operator1 should only see rows of activities carried out by Operator1. Similarly, Operator2 should only see rows of activities carried out by Operator2. | |||
=== Implementation ===__NOEDITSECTION__ | === Implementation ===__NOEDITSECTION__ | ||
The definition of row-level access is implemented on the level of '''users'''. | The definition of row-level access is implemented on the level of '''users'''. | ||
Revision as of 15:47, 23 September 2014
 |
This page is under construction |
MINT allows restricting access to domains to specific roles and users. Concretely, access can be restricted on the row-level and on the column-level. Typical use cases are the following:
- Row-level security: when querying progress report data (activities), the National Mine Action Centre (NMAC) should see all data, but users from each operator should only see data/reports submitted by them.
- Column-level security: when querying victim data, certain groups of users should not be able to view victim names.
Row-level security
Use case description
Let's assume the following:
- A simple domain on the activity (hazard reduction) object in the staging area has been implemented in MINT. An activity, such as a progress report, usually includes information on the organisation that has carried out the activity. An organisation can be a sub-organisation, so it is important to get the name of the parent organisation via a SQL query. Let's assume the derived table containing the parent organisation name is called parent_organisation and the attribute containing the name of the parent organisation is called parent. Therefore, the full qualifier for this attribute is
parent_organisation.parent
. - The NMAC staff should be able to access all the data in the domain, i.e. all the activities carried out by all organisations.
- There are two operators who are given access to MINT in general and this domain in particular: Operator1 and Operator2. However, there is the restriction that Operator1 should only see rows of activities carried out by Operator1. Similarly, Operator2 should only see rows of activities carried out by Operator2.
Implementation
The definition of row-level access is implemented on the level of users.
Example:
<securityDefinition xmlns="http://www.jaspersoft.com/2007/SL/XMLSchema" version="1.0" itemGroupDefaultAccess="granted">
<resourceAccessGrants>
<!-- Row level security -->
<!-- What access do roles/users have to the rows in the resource? -->
<resourceAccessGrantList id="JoinTree_1_List" label="ListLabel" resourceId="JoinTree_1">
<resourceAccessGrants>
<!-- Row level restrictions for Organisations, e.g. Operator X only sees his own progress reports -->
<resourceAccessGrant id="Jointree_1_row_access_grant_20">
<principalExpression><![CDATA[authentication.principal.attributes.any{it.attrName in ['Organisation'] }]]></principalExpression>
<filterExpression>testProfileAttribute(parent_organisation.parent,'Organisation')</filterExpression>
</resourceAccessGrant>
</resourceAccessGrants>
</resourceAccessGrantList>
</resourceAccessGrants>
</securityDefinition>
Example download
Column-level security
Use case description
Implementation
The definition of row-level access is implemented on the level of roles.
Example:
<securityDefinition xmlns="http://www.jaspersoft.com/2007/SL/XMLSchema" version="1.0" itemGroupDefaultAccess="granted">
<!-- Column level security -->
<!-- What access do roles/users have to the fields in an item group? -->
<itemGroupAccessGrants>
<itemGroupAccessGrantList id="grant_item_group_Victims" label="aLabel" itemGroupId="victims" defaultAccess="granted">
<itemGroupAccessGrants>
<!-- Column level for Victims: allow general access to ROLE_NOVICTIMNAMES, then deny access to specific fields -->
<itemGroupAccessGrant id="Victims_item_group_access_grant" access="granted">
<principalExpression>authentication.getPrincipal().getRoles().any{ it.getRoleName() in ['ROLE_NOVICTIMNAMES'] }</principalExpression>
<itemAccessGrantList id="Victims_grant_item_group_items" defaultAccess="granted">
<itemAccessGrants>
<!-- Deny access to the name and surname of victims -->
<itemAccessGrant id="Jointree_1_grant2_items_grant1" itemId="givenname" access="denied" />
<itemAccessGrant id="Jointree_1_grant2_items_grant2" itemId="familyname" access="denied" />
</itemAccessGrants>
</itemAccessGrantList>
</itemGroupAccessGrant>
</itemGroupAccessGrants>
</itemGroupAccessGrantList>
</itemGroupAccessGrants>
</securityDefinition>
Example download
{{#switch:|subgroup|child=|none=|#default=
}}{{#if:Business Intelligence|{{#if:|<th scope="col" style="border-left:2px solid #fdfdfd;width:100%;|}}{{#if:|{{#if:Business Intelligence|}}}}{{#if:Install Staging Area Generator · Using Staging Area Generator · Post Processing SQL Scripts · SAG Spatial reference system · Name Rules Staging Area · Scheduling the Staging Area creation|{{#if:Business Intelligence|}}{{#if:|}}{{#if:Staging Area Generator|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|{{#if:|}}}}{{#if: IMSMA Staging Area Database · Connecting to IMSMA Staging area from ArcGIS · Connecting to IMSMA Staging area from Excel · Sharing an IMSMA Staging Area|{{#if:Business IntelligenceInstall Staging Area Generator · Using Staging Area Generator · Post Processing SQL Scripts · SAG Spatial reference system · Name Rules Staging Area · Scheduling the Staging Area creation|}}{{#if:IMSMA Staging Area|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:|{{#if:Business IntelligenceInstall Staging Area Generator · Using Staging Area Generator · Post Processing SQL Scripts · SAG Spatial reference system · Name Rules Staging Area · Scheduling the Staging Area creation IMSMA Staging Area Database · Connecting to IMSMA Staging area from ArcGIS · Connecting to IMSMA Staging area from Excel · Sharing an IMSMA Staging Area|}}{{#if:|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:Other Reporting Tools|{{#if:Other Reporting Tools|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if: Introduction to indicators|{{#if:Indicators|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:|{{#if:|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:|{{#if:|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:|{{#if:|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:|{{#if:|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:|{{#if:|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:|{{#if:|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:|{{#if:|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:|{{#if:|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:|{{#if:|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:|{{#if:|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:|{{#if:|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:|{{#if:|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:|{{#if:|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:|{{#if:|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:|{{#if:|<td style="text-align:left;border-left-width:2px;border-left-style:solid;|}}{{#if:|{{#if:Business IntelligenceInstall Staging Area Generator · Using Staging Area Generator · Post Processing SQL Scripts · SAG Spatial reference system · Name Rules Staging Area · Scheduling the Staging Area creation IMSMA Staging Area Database · Connecting to IMSMA Staging area from ArcGIS · Connecting to IMSMA Staging area from Excel · Sharing an IMSMA Staging Area|}}}}
|none=|#default= | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
}}{{#ifeq:|Template|{{#ifeq:|child||{{#ifeq:|subgroup||{{#switch:securing mint domains
|doc
|sandbox
|testcases =
|#default = {{#switch:hlist
|plainlist
|hlist
|hlist hnum
|hlist vcard
|vcard hlist =
|#default =
}}
}}
}}}}}}