Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Page Properties
hiddentrue
idDONE

Product Version
Report Note
Assignee

Resources & Remarks

Modification History

NameDateProduct VersionAction
Antje08 FEB 20212.4New page properties macro.
Antje23 FEB 20212020 WinterReplace content.
Antje17 MAY 20212021 Summernew structure



Excerpt

A yuuvis® Momentum user might be not authorized to use the full functionality of the system. Permissions can be set for users to allow or prohibit actions on objects of various types or the usage of specific endpoints.


Section
bordertrue


Column

Table of Contents

Table of Contents
exclude(Table of Contents|Read on|Assigning Roles to Users|Permissions via Roles|Access Authorization for Endpoints|Another interesting Tutorial|Ressources|Remarks)

...

Configuration of Microservices using Profiles|Managing Permissions)



Introduction

The Core API protects documents against access by unauthorized persons through a permission system. Each user has one or more roles in this system, giving them access to various documents for specified actions. The user-role-mapping is managed separately.

>> Permissions via Roles

User-Role-Mapping

The user-role-mapping manages the assignment of roles to users. In yuuvis® Momentum, this mapping is managed separately from the authentication process itself and can be configured according to the customers' needs. Per default Furthermore, in the ORGANIZATION service is used, which can either read the information from a configuration file ("trusted") or request configuration of yuuvis® AUTHENTICATION service, access conditions can be defined individually for each API endpoint.

Structure of the Permissions System

Roles and Role Sets

The permissions to access documents or to perform certain actions are assigned to specific roles. Users of the system are assigned to particular roles, and through those role assignments acquire the permissions neededthey become the owner of the roles. In general, roles are reusable groups of various permissions. Each role has a unique name and contains one or more permissions that are granted to the owners.

Permissions

Permissions denote access rights to certain objects and are assigned to a role. A permission consists of one or more actions and, optionally, a condition. The condition defines which objects are allowed to be managed by owners of a role with the permission, whereas actions define what procedures are allowed upon meeting the condition. In other words if a user tries to access an object, the authorization system will go through that users roles to see if one of the conditions within his permissions is met by the object. If the object meets the condition of one of the users permissions, the user will be able to work with the object according to the actions defined by that permission. 

Actions

The actions of a permission specify access rights for specific purposes, whereby a distinction is currently made between read access, delete access and write access. The actions can be combined by simply adding multiple actions to the permission.

readpermission to receive objects in search results and to call various GET endpoints to a special object
deletepermission to delete objects content or metadata
writepermission to update objects or to move the content of objects

Conditions

Conditions are statements in the proprietary CMIS-based query language that define the subset of documents in the system affected by a permission. If the condition for a document is met (meaning evaluating the query language expression returns 'true'), the owner of the role gets to access that document. For example, conditions can limit access to a permission to a specific type of object or hide documents that are older than a specific date from a user. The conditions are appended to all requests from the role owner and thereby act as filters for the corresponding search results. 

The condition can also be left out - indicating that the permission applies to all documents in the system.

Endpoints for Managing Permissions

The following endpoints are available for setting up and managing your tenant-specific permissions system:

  • Retrieve the tenants role setGET /api/admin/permissions
  • Update the tenants role setPOST /api/admin/permissions
  • Validate the tenants role setPOST /api/admin/permissions/validate

For system administrators, the following endpoints are available for managing the global permissions system:

  • Retrieve the global role setGET /api/system/permissions
  • Update the global role setPOST /api/system/permissions
  • Validate the global role setPOST /api/system/permissions/validate

Since version 2.4, Momentum has the ability to further structure the global role set into applications. This goes hand in hand with the usage of application schemas, as the new functionality is meant to exclude any roleset entries related to an optional application schema from the main global roleset.

  • Retrieve a global application role setGET /api/system/apps/{app}/permissions
  • Update a global application role setPOST /api/system/apps/{app}/permissions
  • Validate a global application role setPOST /api/system/apps/{app}/permissions/validate

To streamline the process of defining yuuvis® Momentum role sets, a number of REST endpoints are made available to retrieve the current role set structures and to apply modifications. As seen in the permissions concept page, there are three options used to structure the role set, coming from two endpoint categories. The /system/permissions and /system/apps/{app}/permissions endpoints are both used to modify the global role set applicable to all users of the system, whereas the /admin/permissions endpoint serves to change the role set specific to the current tenant. 

Complete role set files can be supplied to one of the endpoints via an HTTP POST request, overwriting the previous role set present at that position. Thus, retrieving and extending the previous role set state using a GET request on the same endpoint is strongly recommended. New role sets can also be validated by posting them to the role set endpoint URLs using the added URL suffix /validate.    

>> Code examples in gitHub

Role Administration

Defining Roles

The roles are defined in role sets. Each role set is stored via the CONFIG service in a file roleset.xml that should only be changed using the above listed endpoints.

A role has a name and a list of permissions. Each permission can have one or more actions: read, delete and write. Additionally, they can be restricted by a condition.

Example: a read-permission with the condition system:objectTypeId = 'email' allows to receive all objects of type 'email' in search results and to call various GET endpoints for this type of objects.

Code Block
languagexml
titleAn example role set
collapsetrue
<?xml version="1.0" encoding="utf-8"?>
<roleSet xmlns="http://optimal-systems.org/ns/dmscloud/roleset/"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://optimal-systems.org/ns/dmscloud/roleset/ dmsCloud-roles.xsd">
    <role>
        <name>RoleEmail</name>
        <permission>
            <action>read</action>
            <condition>system:objectTypeId = 'email:email'</condition>
        </permission>
    </role>
    <role>
        <name>RoleDocument</name>
        <permission>
            <action>read</action>
            <condition>system:objectTypeId = 'document'</condition>
        </permission>
    </role>
    <role>
        <name>RoleEmailAndDocument</name>
        <permission>
            <action>read</action>
            <condition>system:objectTypeId in ('email:email', 'document')</condition>
        </permission>
    </role>
    <role>
        <name>AdminRole</name>
        <permission>
            <action>read</action>
            <action>delete</action>
        </permission>
    </role>
</roleSet>

>> The XSD for role sets: dmsCloud-roleSet.xsd.

Anchor
mapping
mapping

User-Role-Mapping

When users log in at the beginning of a session and are successfully authenticated by the identity provider, a JSON Web Token is generated in which the users' roles are listed under authorities. The GET user.info webhook is responsible for providing the users' roles. By customizing the webhook, it is possible to connect any access management provider delivering the users' roles in a suitable format. Per default, the webhook calls the ORGANIZATION service that is responsible for providing the role information.

To assign individual roles to the users of the system, an external identity provider is used, which takes over the responsibility for role assignment. Per default, the ORGANIZATION service reads the profile keycloak and thus requests the information from the identity provider Keycloak.

>> Assigning Roles to Users

...

In order to run the ORGANIZATION service in Keycloak mode, the keycloak profile has to be activated and the following connection parameters in the profile application-oauth2.yml are required:

  • keycloak.server
  • keycloak.admin.username
  • keycloak.admin.password

Access Authorization for Endpoints

The yuuvis® authentication AUTHENTICATION service decides for each API request of any user if the access is granted or not. In its configuration, the access conditions can be defined individually for each API endpoint. Thus, permissions in yuuvis® Momentum can be set not only for types of actions and the usage of specific object types, but also directly for API endpoints. It is even possible to allow the usage of an API endpoint for callers without authentication.

>> Access Authorization for EndpointsAUTHENTICATION Service

Summary

This article explained the role-based structure of the permission system provided by the Core API. The global and the tenant-specific role set can be changed via the corresponding endpoints. The user-role-mapping can be managed in Keycloak. The access authentication for individual yuuvis® API endpoints can be configured via the AUTHENTICATION service.

Info
iconfalse

Read on

Section


Column
width25%
Permissions via

Assigning Roles to Users

Insert excerpt
Permissions via
Assigning Roles to Users
Permissions via
Assigning Roles to Users
nopaneltrue
 Keep reading


Column
width25%
Assigning Roles to Users

Access Authorization for Endpoints

Assigning Roles to Users

Insert excerpt
Assigning Roles to Users
Access Authorization for Endpoints
Access Authorization for Endpoints
nopaneltrue
 Keep reading


Column
width25%
Access Authorization for Endpoints

Configuring Services using Profiles

Insert excerpt
Access Authorization for EndpointsAccess Authorization for EndpointsConfiguring Services using Profiles
Configuring Services using Profiles
nopaneltrue
 Keep reading