User management? - My Forums

Re: User management?

opengeek — Feb 12, 2008, 11:16 AM

I will have information for you folks this week that should help you understand how to approach security in the new model. It’s actually very straight-forward, just completely different from what we had before.

Re: User management?

sirlancelot — Feb 12, 2008, 11:04 AM

Quote from: sottwell at Feb 10, 2008, 12:33 PM

... My usual practice of just clicking on stuff and seeing what happens isn’t proving very productive in this case. ...

You and I are in the same boat on this!

Re: User management?

sottwell — Feb 10, 2008, 06:33 AM

Well, I still can’t figure out how to create a new policy (or edit an existing one) and get it to work. What I’m trying to do is have a guest user who can view all the resources and elements, but can’t change anything or access the tools or user management. So far I’m not getting anywhere. I can create a new user just fine, but can’t figure out how to restrict his access.

There are four menu items, Manage Users, Manage Groups and Roles, Access Permissions and Access Policies.

Is there some way I can find out one by one what each one does and how to use it? My usual practice of just clicking on stuff and seeing what happens isn’t proving very productive in this case. I’ll be very happy to write detailed explanations and how-tos for everything once I can do it myself.

Re: User management?

sottwell — Jan 30, 2008, 11:24 AM

Quote from: splittingred at Jan 30, 2008, 05:16 PM

The policy editor we’re working on making a property grid - ie, you simply set True or False for each policy data.

That bit wasn’t a problem, it’s fairly obvious to a coder what it is. Just what does it do was the burning question!

Re: User management?

sottwell — Jan 30, 2008, 11:22 AM

I did, but I’ll be darned if I’ll pay for these articles. I’ve downloaded a few PDF documents that may prove useful.

Re: User management?

opengeek — Jan 30, 2008, 11:18 AM

Quote from: sottwell at Jan 30, 2008, 04:43 PM

Thank you. This is exactly what I was looking for. (but ABAC and principals )

Hey, I don’t make this stuff up; I just learn from the experts. Search for "attribute-based access control principals" in Google...

Re: User management?

splittingred — Jan 30, 2008, 11:16 AM

Quote from: sottwell at Jan 30, 2008, 04:43 PM

That reads like an insurance policy - in Hebrew

I will study it until it begins to make sense. It will probably make more sense once it’s working and I can actually do it and see it in action.

Thank you. This is exactly what I was looking for. (but ABAC and principals )

The policy editor we’re working on making a property grid - ie, you simply set True or False for each policy data.

Re: User management?

sottwell — Jan 30, 2008, 10:43 AM

That reads like an insurance policy - in Hebrew

I will study it until it begins to make sense. It will probably make more sense once it’s working and I can actually do it and see it in action.

Thank you. This is exactly what I was looking for. (but ABAC and principals )

Re: User management?

opengeek — Jan 30, 2008, 10:16 AM

Alright, first, get rid of all your previous user management conceptions. It would also help to gain a basic understanding of Attribute-Based Access Control (ABAC), as I used some of the latest work being done on grid/web-service security access control to guide the design of the new system. Specifically, I want to be positioned to be able to adopt support for the emerging standards of SAML and XACML. But, enough justification and cursory background...

Let’s start with the idea of "Roles", which is no longer a way to link users to sets of permissions. The modUserGroupRole simply defines the level of authority a user holds within a Group, with 1 being the highest level of authority and 9999 the lowest (everyone has an authority of 9999, as the member of any modUserGroup).

Permissions are now defined by Policies. Policies are simple associate arrays (editable as a simple JSON string at the moment, though this is obviously not optimal) that can define any key/value combination to represent a permission (or attribute) which can be assigned to a relationship between an accessible object and a Principal (a generic term representing a User or a UserGroup). The manager interface currently only allows editing relationships between UserGroups and ResourceGroups (formerly DocumentGroups), but relationships directly between Users and Policies are also going to be possible.

So, for ResourceGroup permissions, consider you have a UserGroup related to a ResourceGroup and assigned a default Authority of 9999, and a Policy assigned to this relationship that consists of:

{
"create":true,
"remove":true,
"save":true,
"load":true
}

Theoretically then, you should be able to create a new Read-Only policy, defining it like so:

{
"create":false,
"remove":false,
"save":false,
"load":true
}

You’re in essence, simply saying UserGroup A with an Authority level >= 9999 (defined by a User’s Role within a UserGroup) has the Read-Only policy when accessing ResourceGroup A. When a user then tries to access a Resource that is in ResourceGroup A, the policy attributes the user has by nature of his (non-)membership in UserGroup A are compared to the policies that apply to the Resource and checks the attribute being queried (for reading a Resource, the "load" attribute is the one that would be checked) to make sure the User has the same attribute and the same value for that attribute.

The legacy manager permissions that define access to various pages and activities are controlled in the same way, except you assign these access control relationships between a UserGroup and a Context. I’ve duplicated all the permissions from the former Role table (not to be confused with UserGroupRole) as the Admin policy.

Of course, it seems the policy editor is now broken since the move to Ext2, so, I won’t be able to tell you how to add a new Policy until I get that fixed. So, let me get that fixed and you start asking questions from this brief overview of the new security framework.

Re: User management?

sottwell — Jan 30, 2008, 03:18 AM

Trying to set up a manager user with read-only permissions to everything.

Roles does not seem to be working at all; all roles show a field of some sort with no heading, and either 0 or 9999 in it, and whenever you attempt to edit a role it simply says "no role returned".

(the unnamed field is apparently "Authority", although what that is I have no idea at all.)

I’m also very hazy on how all the parts interact, especially the access policies.

What I would really like to do is get a thorough understanding of how users are managed and get it clearly documented. So far I’ve got a suspicion that something like 21 tables in the database are involved, but I can’t even find all the files involved, let alone figure out exactly what’s going on by reading the source code. But I don’t expect to "get" it all by next Tuesday, so one step at a time. If I can just figure out the surface aspect of managing users and access that will be a start.