Role Based Access Control
Service Layer authorization model is based on role based access control. The Roles and Policies will be defined for each service and that will determine the access privilege a user or a group of users would have in the system. RBAC is made of four elements:
- Roles: Bring Users, Groups, Policies together. Roles define what users can do with a resource.
- Users: Principal that is requesting access to a resource.
- Policies: List of rules that defines access to a resource.
- Resources: Things you want to grant access to.
Security
Service Layer allows the data exchange between OIPA and other third-party systems by implementing a secured authentication and authorization process. The authorization requires the users to be in a certain role to access a secured resource such as a User or Security Group. These roles are persisted in the container security of the application administration server and OIPA database. The user using the API's needs to have an authorization from Container Security and Database Security as well.Role Definition for Service Layer
The roles defined for Service Layer will be per service rather than per resource. Roles by service means that each service will define roles required to access that particular service. For instance, a Policy Service will define roles that will be used by Segments and Roles with-in that policy. The roles are not defined by resources or entities. Since segments and policy roles can not be accessed outside the context of a policy.Table - Role Description
Role Name | Role Description | Role Privilege | Role Association |
---|---|---|---|
SL_ADMIN | Service Layer Administrator | Permit All | All Services |
POLICY_READ | Policy Read Access | GET | Policy |
POLICY_CREATE | Policy Write Access For Create | POST | Policy |
POLICY_UPDATE | Policy Write Access For Update | PUT | Policy |
CLIENT_READ | Client Read Access | GET | Client |
CLIENT_CREATE | Client Write Access For Create | POST | Client |
CLIENT_UPDATE | Client Write Access For Update | PUT | Client |
CASE_READ | Case Read Access | GET | Case |
CASE_CREATE | Case Write Access For Create | POST | Case |
CASE_UPDATE | Case Write Access For Update | PUT | Case |
GROUPCUSTOMER_READ | Customer Read Access | GET | Customer |
GROUPCUSTOMER_CREATE | Customer Write Access For Create | POST | Customer |
GROUPCUSTOMER_UPDATE | Customer Write Access For Update | PUT | Customer |
GROUPCUSTOMER_DELETE | Customer Delete Access | DELETE | Customer |
CLIENTRELATIONSHIP_READ | Client Relationship | GET | Client Relationship |
CLIENTRELATIONSHIP_CREATE | Client Relationship Write Access For Create | POST | Client Relationship |
CLIENTRELATIONSHIP_UPDATE | Client Relationship Write Access For Update | PUT | Client Relationship |
QUERY_READ | Query Read Access | GET | Query |
QUERY_CREATE, QUERY_UPDATE | Query Write Access | POST | Query |
COMPANY_READ | Company Read Access | GET | Company |
PRODUCT_READ | Product Read Access | GET | Product |
PLAN_READ | Plan Read Access | GET | Plan |
SEGMENT_READ | Segment Read Access | GET | Segment |
SEGMENT_CREATE | Segment Write Access For Create | POST | Segment |
SEGMENT_UPDATE | Segment Write Access For Update | PUT | Segment |
ROLE_READ | Role Read Access | GET | Role |
ROLE_CREATE | Role Write Access For Create | POST | Role |
ROLE_UPDATE | Role Write Access For Update | PUT | Role |
SEGMENTROLE_READ | Segment Role Read Access | GET | Segment Role |
SEGMENTROLE_CREATE | Segment Role Write Access For Create | POST | Segment Role |
SEGMENTROLE_UPDATE | Segment Role Write Access For Update | PUT | SegmentRole |
REQUIREMENT_READ | Requirement Read Access | GET | Requirement |
REQUIREMENT_CREATE | Requirement Write Access For Create | POST | Requirement |
REQUIREMENT_UPDATE | Requirement Write Access for Update | PUT | Requirement |
IMPAIRMENT_READ | Impairment Read Access | GET | Impairment |
ADDRESS_READ | Address Read Access | GET | Address |
ADDRESS_CREATE | Address Write Access For Create | POST | Address |
ADDRESS_UPDATE | Address Write Access For Update | PUT | Address |
PHONE_READ | Phone Read Access | GET | Phone |
PHONE_CREATE | Phone Write Access For Create | POST | Phone |
PHONE_UPDATE | Phone Write Access For Update | PUT | Phone |
DOMAINS_READ | Domains Read Access | GET | Domains |
DOMAINS_CREATE | Domains Write Access For Create | POST | Domains |
DOMAINS_UPDATE | Domain Update Access For Update | PUT | Domains |
DOMAINS_DELETE | Domains Delete Access | DELETE | Domains |
USER_READ | User Read Access | GET | User |
USER_CREATE | User Write Access For Create | POST | User |
USER_UPDATE | User Write Access For Update | PUT | User |
USER_DELETE | User Delete Access | DELETE | User |
SECURITYGROUP_READ | Security Group Read Access | GET | SECURITY GROUPS |
SECURITYGROUP_CREATE | Security Group Write Access For Create | POST | SECURITY GROUPS |
SECURITYGROUP_DELETE | Security Group Delete Access | DELETE | SECURITY GROUPS |
USERSECURITYGROUP_READ | User Security Group Read Access | GET | USER SECURITY GROUPS |
USERSECURITYGROUP_DELETE | User Security Group Delete Access | DELETE | USER SECURITY GROUPS |
SL_ADMIN | An administrative privilege which provides the access for FileReceived SOAP web service | POST | FileReceived |
SL_ADMIN | An administrative privilege which provides the access for ExposedComputation SOAP web service | POST | ExposedComputation |
SL_ADMIN | An administrative privilege which provides the access for ProcessPolicy SOAP web service | PUT | ProcessPolicy |
OUTBOUNDAPPLICATION_READ | Get details of given application id and its corresponding security | GET | Downstream Message Push |
OUTBOUNDAPPLICATION_CREATE | POST the details of downstream applications and its security | POST | Downstream Message Push |
OUTBOUNDAPPLICATION_UPDATE | Updates the details of outbound application security | PUT | Downstream Message Push |
OUTBOUNDAPPLICATION_DELETE | Deletes the details of outbound application security | DELETE | Downstream Message Push |