Skip to content

User Namespace Authorization

Jump to bottom
Nate Weisz edited this page Feb 17, 2016 · 20 revisions

Authorization Model

Overview

  • Herd currently includes endpoint-level security. The Herd team is building towards a more granular security model where operations are authorized at the Namespace level.
  • All access to data in Herd will be controlled by the calling user's authorization to data in that Namespace.
    • A user will be granted permissions to READ, WRITE, EXECUTE, or GRANT data in a set of Namespaces.
      • See Authorization Model for more details
    • These authorizations restrict access to all operations including:
      • Meta-data services like reading and writing Business Object Definitions, Business Object Formats, and Business Object Data in a given Namespace
      • Other services such as Clusters, Jobs, and Notifications owned by a given Namespace
      • See Authorization Scope for more details
  • If not authorized, the services will return an appropriate HTTP error response such as 403 Forbidden
  • Herd team will delegate administration of granular security to Data Owners for each Namespace. See Administration Model Note - this mechanism is currently implemented at the Namespace level but will likely be augmented in the future to work at a lower level such as Namespace + Business Object Definition

Example

An example user's authorization data is below. In this example, J. Smith is a member of the Analytics team that runs Jobs which read data from various Namespaces and creates output in the Analytics Namespace.

  • SmithJ (reference to account in AD)
    • READ permissions to Namespaces: MARKET, OPTIONS, ETL
    • WRITE permissions to Namespaces: ANALYTICS
    • EXECUTE permissions to: ANALYTICS

Administration Model

Data Owner responsibilities

Herd will designate a Data Owner for each Namespace. This Data Owner is responsible for granting READ/WRITE/EXECUTE access to their Namespace to any applicable Users. Here are examples of what the Data Owner will perform:

  • Grant a user access to their Namespace by calling User Namespace Authorization Post for that user and indicating which permissions the user should have (READ/WRITE/EXECUTE/GRANT or any combination)
  • Modify a user's access to their Namespace by calling User Namespace Authorization Put for an existing user and passing the updated set of permissions (READ/WRITE/EXECUTE/GRANT or any combination).
    • This will replace that user's entire set of permissions to the Namespace with the set of permissions included in the PUT request
  • Delete a user's access to their Namespace by calling User Namespace Authorization Delete for an existing user.
    • This will remove all that user's permissions to the Namespace
  • Review a user's access to their Namespace by calling User Namespace Authorization Get for a user Note: Data Owners must have the DATA_OWNER role and they must have GRANT and READ permissions on their Namespace

End User visibility

End users can call Current User Get to view all their permissions in each Namespace where they have any permissions.

Creating a new Namespace

The following steps will take place to create a Namespace and delegate responsibility to the Data Owner

  1. Data Owner creates new Namespace NEW_APP
  2. Herd Administrator assigns DATA_OWNER role to the Data Owner
  3. Herd Administrator grants GRANT permissions on the NEW_APP Namespace to the Data Owner
  4. Data Owner may now perform all responsibilities as listed in Data Owner Responsibilities

Authorization Scope

Authorization covers the following services as detailed below:

Business Object Data and related services

Service Permissions
Business Object Format CRUD services READ and/or WRITE on Namespace of Format in request
Business Object Definition CRUD services READ and/or WRITE on Namespace of BDef in request
Business Object Data CRUD services including Status update READ and/or WRITE on Namespace of BData in request
Availability and DDL services READ on Namespace of BData in request
Availability and DDL collection services READ on Namespace, will fail if user is not authorized on all of the request object collection's Namespaces

File / Storage / Permissions related services

Service Permissions
Upload Single Initiation service WRITE on Namespace of both BData in request, will fail if user is not authorized for Namespace of either BData in request
Download Single Initiation service READ on Namespace of BData in request
Upload and Download Credential services WRITE and/or READ on Namespace of BData in request (including Herd Uploader/Downloader tools)
Credential extension service READ on Namespace of BData in request
Account-Permissions mapping services * For GET service - READ on Namespace for which the request is granting permissions
  • For POST, PUT, DELETE services - GRANT on Namespace is required.
  • Note: WRITE is not required so Data Owners do not necessarily have permission to write to the Namespace for which they are granting permissions.
  • Note: DATA_OWNER role is also required to access any of these services |

herd Logo

Clone this wiki locally