Security Model Overview¶
Each object in Unidata system is managed by a security model, which allows users to set access rights to a particular object. These objects are called security resources.
Access to security resources is configured using two tools:
“Access rights” table. This table is configured during a new user role creation. You can set system permissions and entities/lookup entities access (including individual attributes of entity/lookup entity records).
Security labels. Labels are intended for more precise access rights delimiting to certain data. For example, assigning the user access only to certain values of record attributes. Labels can be assigned to both accounts and user roles.
Basic Terms of Security Model¶
User account (user). Set of user data to identify and grant them access rights to perform certain actions in the system. An account is assigned one or more roles, as well as one or more security labels. The account owner is a system user, an official.
Role. Named set of access rights to security resources that are required to perform specific functions or tasks.
Access rights, Ability to work with security resources: create, edit, delete, read, and full rights (i.e. all possible functions). Depending on the resource type, the semantic load of rights may change.
Security label. Named set of entity/lookup entity attributes used to restrict access to entity/lookup entity records.
Concept of Working with Security Model¶
Role model must be configured if the data model is either fully or partially formed . This is caused by having to set permission rights for each role to access entities/lookup entities, and changes in the data model leading to changes in access rights.
First step of configuring the security model is creating roles that contain a specific set of access rights. Multiple roles can be assigned to the same user. Full rights are defined as a set of rights. However, if one role determines access to the object, and the other does not, this is interpreted as having rights to the object.
Then user accounts should be created and required roles assigned.
If necessary, security labels could be created for role and for user.
If the account has the “Superuser” checkbox enabled, the user can access all system features. This checkbox has a higher priority than the assigned roles and security labels.
Unidata system allows to pass the LDAP authentication procedure using data from an external lookup entity service. This feature is implemented by using a certain software product that is not included in the standard build package of the system.
Figure 1. Diagram of security role model