Versions Compared

Old Version 39

changes.mady.by.user Technische Redaktion

Saved on

compared with

New Version Current

changes.mady.by.user Technische Redaktion

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Page Properties
hiddentrue
idDONE

Product Version
Report Note
Assignee

Resources & Remarks

Modification History

NameDateProduct VersionAction
Antje08 FEB 20212.4New page properties macro.
Antje23 FEB 20212020 WinterReplace content.
Antje17 MAY 20212021 Summernew structure
JaR20 FEB 20232021 Winter LTSclarification



Excerpt

A yuuvis® Momentum user has to be authorized to the functionality of the system by assigning roles. For the individual roles, permissions can be set to allow actions on objects restricted by defined conditions where appropriate and the usage of specific endpoints can be controlled.

...

The Core API protects documents against access by unauthorized persons through a permission system. Each user has one or more roles in this system, giving them access to various documents for specified actions. The user-role mapping manages the assignment of roles to users. In yuuvis® Momentum, this mapping is managed separately from the authentication process itself and can be configured according to the customers' needs. Furthermore, in the configuration of the yuuvis® AUTHENTICATION service, access conditions can be defined individually for each API endpoint.

Structure of the Permissions System
Anchor
RolesAndRoleSets
RolesAndRoleSets

Roles and Role Sets

The permissions to access documents or to perform certain actions are assigned to specific roles. Users of the system are assigned to particular roles, and through those role assignments acquire the permissions neededthey become the owner of the roles. In general, roles are reusable groups of various permissions. Each role has a unique name and contains one or more permissions that are granted to its owners.

...

create
(as of 2021 Autumn)		permission to create new objects
read

permission to know about the existence of objects, to receive

objects

them in search

results and

results and to call various GET endpoints to a special object

deletepermission that allows to delete objects content or metadata of objects for which also read permission is granted
writepermission to update objects or to move the content of objectsobjects for which also read permission is granted

Conditions

Conditions are statements in in the proprietary CMIS-based query language that that define the subset of documents in the system affected by a permission. If the condition for a document is met (meaning evaluating the query language expression returns 'true'), the owner of the role gets to access that document. For example, conditions can limit a user's access to a specific type of object or hide documents that are older than a specific date. The conditions are applied to all requests from the role owner and thereby act as filters for the corresponding search results. 

Note: In a permission including the create action, the CONTAINS()query function cannot be used in a condition. The whole statement would always be evaluated as false, even if the condition contains other sub-statements that do not use CONTAINS() and that would individually considered be evaluated as true. Thus, it is not possible to specify a condition on the content of objects to be created.

The condition can also be left out – indicating that the permission applies to all documents in the system.

...

Code Block
languagexml
titleExamples for Creation Permissions with Condition and withoutcollapsetrue
<!-- UsersThis withrole thisdoes rolenot aregrant notany allowedpermission to create, update or delete any object. -->
<role>
   <name>CAN_CREATE_NOTHING</name>
</role>

<!-- UsersThis withrole thisgrants rolecreation canpermission createfor any object. No conditions have to be matched. -->
<role>
   <name>CAN_CREATE_EVERYTHING</name>
   <permission>
       <action>create</action>
   </permission>
</role>

<!-- UsersThis withrole thisgrants rolecreation canpermission createfor objects that match the condition. In this case, only objects of type 'appTable:order' or 'appEmail:email' can be created. -->
<role>
   <name>CAN_CREATE_SOMETHING</name>
   <permission>
      <action>create</action>
      <condition>
         system:objectTypeId IN ('appTable:order', 'appEmail:email')
   	  </condition>
   </permission>
</role>

As of 2023 Summer, it is possible to specify conditions referencing the abac (attribute-based access control) section within the internal JWT (JSON Web Token). The following example role grants read permission for objects with at least one entry of the string list property appEmail:mailboxes contained in the current user's @abac.mailGroups string list within the JWT.

Code Block
languagexml
titleExample for Read Permissions with Condition
<role>
   <name>CAN_CREATE_SOMETHING</name>
   <permission>
      <action>read</action>
      <condition>
         appEmail:mailboxes IN @abac.mailGroups
   	  </condition>
   </permission>
</role>

...

Code Block
languagexml
titleAn example role setcollapsetrue
<?xml version="1.0" encoding="utf-8"?>
<roleSet xmlns="http://optimal-systems.org/ns/dmscloud/roleset/"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://optimal-systems.org/ns/dmscloud/roleset/ dmsCloud-roles.xsd">
    <role>
        <name>RoleEmail</name>
        <permission>
            <action>read</action>
            <condition>system:objectTypeId = 'email:email'</condition>
        </permission>
    </role>
    <role>
        <name>RoleDocument</name>
        <permission>
            <action>read</action>
            <condition>system:objectTypeId = 'document'</condition>
        </permission>
    </role>
    <role>
        <name>RoleEmailAndDocument</name>
        <permission>
            <action>read</action>
            <condition>system:objectTypeId in ('email:email', 'document')</condition>
        </permission>
    </role>
    <role>
        <name>AdminRole</name>
        <permission>
            <action>read</action>
            <action>delete</action>
        </permission>
    </role>
</roleSet>

>> The XSD for role sets: dmsCloud-roleSet.xsd.

Note: For the usage of the some Additional Services a fixed role set is required.
>> Defining Roles for Additional Servicesa Library-based Client

Anchor
mapping
mapping

User-Role Mapping

...

  • keycloak.server
  • keycloak.admin.username
  • keycloak.admin.password
Note
titleNote
The roles of users control their rights regarding DMS objects but also regarding yuuvis® Momentum administration. In the default configuration, e.g., the YUUVIS_SYSTEM_INTEGRATOR role allows editing of global configuration files like role sets and schemata. Thus, it is highly important to configure your role management software such that only system operators can assign roles that provide themselves and other users with global rights.


Access Authorization for Endpoints

...