Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 19 Next »

This article explains how changes to the role set files can be made to add or remove permissions to individual users. It is highly recommended to first learn about the Permission System in placeto do so head to the Permissions via Roles concept article

Table of Contents

Requirements

To work through this tutorial, the following is required:

Assigning Roles to Individual Users

When a user first logs in at the beginning of a session, he recieves a JSON Web Token in which the users' roles are listed under "authorities".

To assign individual roles to the users of the system, either an organization.xml file is evaluated in the same Organization service configuration (~/service-manager/config/organization) or an external identity provider is used, which takes over the responsibility for role assignment from the organization.xml, causing that file to no longer be evaluated. In both solutions, individual UUIDs or names of individual users are assigned to roles by their unique names as defined in the roleset.xml file.  

Example Assignment of a Role
<user>
        <name>Emil</name>
        <role>RoleEmail</role>
</user>

Trusted Mode

If an identification provider is active in your system, the role administration duties can be transferred to the organization service using Trusted mode, which can be activated by running the authentication-service using the value "trusted" in the authentication.provider parameter and the organization service using the profile "trusted".  Doing so delegates the role-user-mapping to the config/organizationService/organization.xml file, which can be modified, like any other file managed by the Configuration service, using the config git repository. 

Example organization.xml
<?xml version="1.0" encoding="utf-8"?>
<organization xmlns="http://optimal-systems.org/ns/dmscloud/organization/"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://optimal-systems.org/ns/dmscloud/organization/ dmsCloud-organization.xsd">
    <user>
        <name>root</name>
        <role>AdminRole</role>
    </user>
    <user>
        <name>Emil</name>
        <role>RoleEmail</role>
    </user>
    <user>
        <name>Doris</name>
        <role>RoleDocument</role>
    </user>
    <user>
        <name>Eduard</name>
        <role>RoleEmail</role>
        <role>RoleDocument</role>
    </user>
    <user>
        <name>Edmund</name>
        <role>RoleEmailAndDocument</role>
    </user>
</organization>
</roleSet>


Adding/Removing Permissions by Directly Accessing the Config Git Repository

To make changes to the authorization system, such as to give roles new access rights or assign new roles or revoke old ones from individual users, changes must be made to the corresponding configuration files roleset.xml and organization.xml in the organization service configuration. Through syntactically correct adjustments to the existing authorization structure, such as adding new role objects in the roleset.xml or deleting a role of a user in the organization.xml, the authorization system can be changed to meet the requirements of your system. 

Because the configuration files in Kubernetes are in a git repository "system-config", changes are made effective by committing a new configuration version to this git repository. First, the current state of the git repository has to be downloaded into a local directory via git clone http://<Cluster IP>:<Git Port>/system/system-config, after which the desired changes to the respective configuration files can be made to that state of the configuration files. Then the new state of the files has to be uploaded to the config repository via git add* → git commit -m "new config"git push.

The authorization system works by using the Organization service, which is configured through the roleset.xml and organization.xml and provides information about the access rights for individual users. To tell the Organization service to retrieve its new configuration from the Config service, a POST request must be made to the /api/security/refresh endpoint of the Organization service after each configuration change. If an identity provider is used, meaning that role assignment is carried out not through the organization.xml but through an external system, and changes are made only to the role assignment inside the identity provider, the Organization service does not need to be refreshed.

Adding/Removing Permissions using the System/Admin Endpoints

To streamline the process of defining yuuvis® Momentum role sets, a number of REST endpoints are made available to retrieve the current role set structures and to to apply modifications. As seen in the permissions concept page, there are three options used to structure the role set, coming from two endpoint categories. The /system/permissions and /system/apps/{app}/permissions endpoints are both used to modify the global role set applicable to all users of the system, whereas the /admin/permissions endpoint serves to change the role set specific to the current tenant. 

Complete role set files can be supplied to one of the endpoints via an HTTP POST request, overwriting the previous role set present at that position. Thus, retrieving and extending the previous role set state using a GET request on the same endpoint is strongly recommended. New role sets can also be validated by posting them to the role set endpoint URLs using the added URL suffix /validate.    

>> Code examples in gitHub

Summary

Now that you know how you can interact with the permission system, you may want to proceed to creating a permissions file befitting your requirements. Find example permission files in the Permissions via Roles concept article


More Tutorials

Authentication against the Core API

This tutorial shows how to authenticate a Java client at the Core API. Keep reading

Permissions via Roles

Details about the structure of the Permission System, including example files. Keep reading

Access Authorization for Endpoints

Error rendering macro 'excerpt-include' : No link could be created for 'Access Authorization for Endpoints'.
 Keep reading


  • No labels