 |
|
You are here: Foswiki>Frontend Web>PPCDevelopments>NameServerAdmin>AccessRightsSpecification (21 May 2012, UdoKrause)Edit Attach
Access Rights Specification
Overview of Access Right Set-Up
Users may be given specific rights to access devices in the control system. Permisions to access devices are granted on a user / device basis. An introduction to the access right system can be found here. Definition of access rights is set up in a rights file.Compaction of Set-Up Information
Setting up rights on a user / device base would result in highly confusing extensive lists, impossible to maintain. Complexity of set up is reduced by two strategies.Access Rights Specification Domains
Access rights can be granted not only to single devices, but also to all devices of a specific equipment type, all devices in an area (in an accelerator section), or all devices of a specific equipment type in an area. Thus, for each user, rights can be granted in several domains:- 'device'
- a single device, identified by its nomenclature
- 'eqmod'
- all devices of an equipment type, identified by the equipment type name
- 'area' and 'eqmod'
- all devices of the given equipment type in the given area
Access Right Item Grouping
All notions can be combined to groups. This means, user names can be combined to a user's group which then can be identified by its users's group name. Similarily devices can be combined to device groups, equipment types to eqmod groups, and areas to area groups. Different groups of each type can be defined. A user group, a device group, an eqmod group, and an area group may all have the same group name - they are distinguished by their group type. When granting rights, groups can be used similar to single items. The rights management expands the groups and assigns the rights for each single item in the group. Groups are a very efficient way to grant identical rights to several users as well as simplfying the handling of several equipment types, several devices or several areas.Denial of Access
Each rights specification can be negated. In this case, access to the given specification is refused. By this feature, e. g. it is possible to grant access to all devices of a given equipment type, except to some specific devices, or to some areas.Multiple Right Specification
For a user /device combination, several rights sprecifications may hold. For a device, rules in the devices, equipment types, and areas domain may be given, each granting different right level. In this case, rights are logically ORed. The highest right level which is granted in one of the definitions for the device is granted to the user. This may be constrained by explicit denial of access. If in any of the definitions which hold for a device, access is denied for a right level, this right level is not granted to the user. This means, if one rule denies access to a device, the right level will not be granted, independent of how many other rules will grant access to a user. As result, for a given device the highest right level is granted to a user which is defined at least in one of the rules, and for which access is not denied by at least one of the rules.Access Rights Data File
Access rights are defined in an XML-file. The file is structured into two main areas. Firstly, groups of items may be defined. Then, in a second step, access rights may be granted to user names.Group Definition
For each of the item types 'eqmod', 'user', 'area', 'devices' (and 'name', which is currently not used) groups can be defined. The item types are indicated by the base tags <EQMOD>, <USER>, <AREA>, <DEVICES> and <NAME>. Within each base tag, groups may be set up by the tag <group> Each group tag must have the attribute ' name': A string, defining the group's name. Within each group tag, any number of items can be added by the tag <element>. Within each base tag, any number of groups, containing any number of elements, may be defined. Defining groups is demonstrated by the following examples, setting up eqmod-groups, a user group, and area groups. Example of eqmod groups:
<EQMOD>
<group name="magnets">
<element>MX</element> <!-- 19 -->
<element>MXRI</element> <!-- 28 -->
</group>
<group name="esrpluscooler">
<element>PPOS</element> <!-- 54 -->
<element>STHV</element> <!-- 55 -->
<element>IT</element> <!-- 21 -->
<element>CS</element> <!-- 22 -->
<element>FBSD</element> <!-- 24 -->
<element>ESAU</element> <!-- 39 -->
<element>CEHV</element> <!-- 47 -->
</group>
</EQMOD>
Example of a user group:
<USER>
<group name="demo">
<element>mueller</element>
<element>meier</element>
<element>krause</element>
<element>schulze</element>
</group>
</USER>
Example of an area group:
<AREA>
<group name="ionsources">
<element>ul</element>
<element>ur</element>
<element>un</element>
</group>
<group name="hfs">
<element>ts</element>
<element>hfs</element>
</group>
</AREA>
Rights Specification
The rights specification section is marked by the tag<RIGHT>. Within this tag, the rights definition for each user is marked by tags, specifying the user's name. Either single user names can be given, or usergropups which have to be set up before in a an <USER> section
<RIGHT> <user name="username"> ... </user> <user group="groupname"> ... </user> </RIGHT>
Right Level Specification
For each user tag, right levels may be specified by tags indicating the right level. Possible levels are<none> </none> <read> </read> <modify> </modify> <localsystem> </localsystem> <system> </system> <admin> </admin>See Nameserver and Access Rights for right levels details.
Denial of Rights
The tag <none> denies access other than read. Similarly, the optional attributeAccess, set to the value denied, denies the respective access level for the specific item. This option is useful when a general access right was specified which should not hold for a subset of the items. In such case, an additional rights specification for the subset may remove the right previously defined.
Right Domain Specification
Inside the right level tags domains indicate for which element the level holds. Domains may be equipment types or devices, indicated by the tags<eqmodel>eqmodel-name</eqmodel> <device>device nomenclature</device>Instead of single device types or single device names, groups may be specified, formerly defined in a
<EQMOD> or <DEVICES> section. <eqmodelgroup>eqmodel group name</eqmodelgroup> <devicegroup>device nomenclature group name</devicegroup>Additionally, equipment types may be restricted to an area of the accelerator (see here) by the attribute
area. The additional atribute areatype, set to group ( area = "name of area group" areatype = "group") indicates that the area is restricted to each element of the given group, previously defined in a <AREA> section <eqmodel area="area name">eqmodel-name</eqmodel> <device area="area name">device nomenclature</device> <eqmodelgroup area="area name">eqmodel group name</eqmodelgroup> <devicegroup area="area name">device nomenclature group name</devicegroup> <eqmodel area="area group name" areatype="group">eqmodel-name</eqmodel> <device area="area group name" areatype="group">device nomenclature</device> <eqmodelgroup area="area group name" areatype="group">eqmodel group name</eqmodelgroup> <devicegroup area="area group name" areatype="group">device nomenclature group name</devicegroup>
Example of Right Specification
An example of a valid right specification is given here:
<RIGHT>
<user group="ionsource">
<modify>
<eqmodelgroup>ionsource</eqmodelgroup>
</modify>
<localsystem>
<eqmodelgroup area="ionsources" areatype="group">diagnostics</eqmodelgroup>
</localsystem>
</user>
</RIGHT>
Example of Allowing Access to Certain SEs
An example of a valid right specification is given here<RIGHT>
<user group="sishf">
<localsystem>
<device>KE3CS045</device>
<device>KE3CS046</device>
</localsystem>
</user>
</RIGHT> Edit | Attach | Print version | History: r12 < r11 < r10 < r9 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r12 - 21 May 2012, UdoKrause
Accnomen
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding Foswiki? Send feedback