Access Rights Specification

Overview of Access Right Set-Up

Users may be given specific rights to access devices in the control system. Permisions to access devices are granted on a user / device basis. An introduction to the access right system can be found here.

Definition of access rights is set up in a rights file.

Compaction of Set-Up Information

Setting up rights on a user / device base would result in highly confusing extensive lists, impossible to maintain. Complexity of set up is reduced by two strategies.

Access Rights Specification Domains

Access rights can be granted not only to single devices, but also to all devices of a specific equipment type, all devices in an area (in an accelerator section), or all devices of a specific equipment type in an area. Thus, for each user, rights can be granted in several domains:
'device'
a single device, identified by its nomenclature
'eqmod'
all devices of an equipment type, identified by the equipment type name
'area' and 'eqmod'
all devices of the given equipment type in the given area

For 'devices' and 'eqmod' a star ('*') indicates all devices respectively all equipment types.

The 'area' specification makes use of a specific in the GSI's nomenclatures: The first characters in each nomenclature indicate the location of the device. E. g., the first three charaters in the nomenclatures UA4MS7H and UA4MS7V indicate that both are localized in the Unilac ('U'), Alvarez section ('A') number four ('4'). So, specifying the start of the nomenclatures ealsily allows to select all devices in one of the sections of the accelerators: 'U' will select all Unilac devices, 'UA' will select all devices in the Alvarez section, and 'UA4' will select all devices in the Alvarez 4 subsection.

Any combination of device, eqmod and area/eqmod specification can be granted to a user, identified by its operating system login name.

Access Right Item Grouping

All notions can be combined to groups. This means, user names can be combined to a user's group which then can be identified by its users's group name. Similarily devices can be combined to device groups, equipment types to eqmod groups, and areas to area groups. Different groups of each type can be defined. A user group, a device group, an eqmod group, and an area group may all have the same group name - they are distinguished by their group type.

When granting rights, groups can be used similar to single items. The rights management expands the groups and assigns the rights for each single item in the group. Groups are a very efficient way to grant identical rights to several users as well as simplfying the handling of several equipment types, several devices or several areas.

Denial of Access

Each rights specification can be negated. In this case, access to the given specification is refused. By this feature, e. g. it is possible to grant access to all devices of a given equipment type, except to some specific devices, or to some areas.

Multiple Right Specification

For a user /device combination, several rights sprecifications may hold. For a device, rules in the devices, equipment types, and areas domain may be given, each granting different right level. In this case, rights are logically ORed. The highest right level which is granted in one of the definitions for the device is granted to the user.

This may be constrained by explicit denial of access. If in any of the definitions which hold for a device, access is denied for a right level, this right level is not granted to the user. This means, if one rule denies access to a device, the right level will not be granted, independent of how many other rules will grant access to a user.

As result, for a given device the highest right level is granted to a user which is defined at least in one of the rules, and for which access is not denied by at least one of the rules.

Access Rights Data File

Access rights are defined in an XML-file. The file is structured into two main areas. Firstly, groups of items may be defined. Then, in a second step, access rights may be granted to user names.

Group Definition

For each of the item types 'eqmod', 'user', 'area', 'devices' (and 'name', which is currently not used) groups can be defined. The item types are indicated by the base tags <EQMOD>, <USER>, <AREA>, <DEVICES> and <NAME>.

Within each base tag, groups may be set up by the tag <group> Each group tag must have the attribute ' name': A string, defining the group's name. Within each group tag, any number of items can be added by the tag <element>.

Within each base tag, any number of groups, containing any number of elements, may be defined.

Defining groups is demonstrated by the following examples, setting up eqmod-groups, a user group, and area groups.

Example of eqmod groups:
   <EQMOD>
      <group name="magnets">
         <element>MX</element>        <!-- 19 -->
         <element>MXRI</element>      <!-- 28 -->
      </group>
      <group name="esrpluscooler">
         <element>PPOS</element>      <!-- 54 -->
         <element>STHV</element>      <!-- 55 -->
         <element>IT</element>        <!-- 21 -->
         <element>CS</element>        <!-- 22 -->
         <element>FBSD</element>      <!-- 24 -->
         <element>ESAU</element>      <!-- 39 -->
         <element>CEHV</element>      <!-- 47 -->
      </group>
   </EQMOD>

Example of a user group:
   <USER>
      <group name="demo">
         <element>mueller</element>
         <element>meier</element>
         <element>krause</element>
         <element>schulze</element>
      </group>
   </USER>

Example of an area group:
   <AREA>
      <group name="ionsources">
         <element>ul</element>
         <element>ur</element>
         <element>un</element>
      </group>
      <group name="hfs">
         <element>ts</element>
         <element>hfs</element>
      </group>
   </AREA>

Rights Specification

The rights specification section is marked by the tag <RIGHT>. Within this tag, the rights definition for each user is marked by tags, specifying the user's name. Either single user names can be given, or usergropups which have to be set up before in a an <USER> section

<RIGHT>
  <user name="username"> ... </user>
  <user group="groupname"> ... </user>
</RIGHT>

Right Level Specification

For each user tag, right levels may be specified by tags indicating the right level. Possible levels are
  <none>         </none>
  <read>         </read>
  <modify>       </modify>
  <localsystem>  </localsystem>
  <system>       </system>
  <admin>        </admin>
See Nameserver and Access Rights for right levels details.

Denial of Rights

The tag <none> denies access other than read. Similarly, the optional attribute Access, set to the value denied, denies the respective access level for the specific item. This option is useful when a general access right was specified which should not hold for a subset of the items. In such case, an additional rights specification for the subset may remove the right previously defined.

Right Domain Specification

Inside the right level tags domains indicate for which element the level holds. Domains may be equipment types or devices, indicated by the tags
  <eqmodel>eqmodel-name</eqmodel>
  <device>device nomenclature</device>

Instead of single device types or single device names, groups may be specified, formerly defined in a <EQMOD> or <DEVICES> section.
  <eqmodelgroup>eqmodel group name</eqmodelgroup>
  <devicegroup>device nomenclature group name</devicegroup>

Additionally, equipment types may be restricted to an area of the accelerator (see here) by the attribute area. The additional atribute areatype, set to group ( area = "name of area group" areatype = "group") indicates that the area is restricted to each element of the given group, previously defined in a <AREA> section
  <eqmodel area="area name">eqmodel-name</eqmodel>
  <device  area="area name">device nomenclature</device>
  <eqmodelgroup area="area name">eqmodel group name</eqmodelgroup>
  <devicegroup  area="area name">device nomenclature group name</devicegroup>

  <eqmodel area="area group name" areatype="group">eqmodel-name</eqmodel>
  <device  area="area group name" areatype="group">device nomenclature</device>
  <eqmodelgroup area="area group name" areatype="group">eqmodel group name</eqmodelgroup>
  <devicegroup  area="area group name" areatype="group">device nomenclature group name</devicegroup>

Example of Right Specification

An example of a valid right specification is given here:
   <RIGHT>
      <user group="ionsource">
         <modify>
            <eqmodelgroup>ionsource</eqmodelgroup>
         </modify>
         <localsystem>
            <eqmodelgroup area="ionsources" areatype="group">diagnostics</eqmodelgroup>
         </localsystem>
      </user>
   </RIGHT>

Example of Allowing Access to Certain SEs

An example of a valid right specification is given here
<RIGHT>
    <user group="sishf">
        <localsystem>
            <device>KE3CS045</device>
            <device>KE3CS046</device>
        </localsystem>
    </user>
</RIGHT>
Topic revision: r12 - 21 May 2012, UdoKrause
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback