Role Based Access Control

Service Layer authorization model is based on role based access control. The Roles and Policies will be defined for each service and that will determine the access privilege a user or a group of users would have in the system. RBAC is made of four elements:

  • Roles: Bring Users, Groups, Policies together. Roles define what users can do with a resource.
  • Users: Principal that is requesting access to a resource.
  • Policies: List of rules that defines access to a resource.
  • Resources: Things you want to grant access to.

Security

Service Layer allows the data exchange between OIPA and other third-party systems by implementing a secured authentication and authorization process. The authorization requires the users to be in a certain role to access a secured resource such as a User or Security Group. These roles are persisted in the container security of the application administration server and OIPA database. The user using the API's needs to have an authorization from Container Security and Database Security as well.

Role Definition for Service Layer

The roles defined for Service Layer will be per service rather than per resource. Roles by service means that each service will define roles required to access that particular service. For instance, a Policy Service will define roles that will be used by Segments and Roles with-in that policy. The roles are not defined by resources or entities. Since segments and policy roles can not be accessed outside the context of a policy.

Table - Role Description

Role Name Role Description Role Privilege Role Association
SL_ADMIN Service Layer Administrator Permit All All Services
POLICY_READ Policy Read Access GET Policy
POLICY_CREATE Policy Write Access For Create POST Policy
POLICY_UPDATE Policy Write Access For Update PUT Policy
CLIENT_READ Client Read Access GET Client
CLIENT_CREATE Client Write Access For Create POST Client
CLIENT_UPDATE Client Write Access For Update PUT Client
CASE_READ Case Read Access GET Case
CASE_CREATE Case Write Access For Create POST Case
CASE_UPDATE Case Write Access For Update PUT Case
GROUPCUSTOMER_READ Customer Read Access GET Customer
GROUPCUSTOMER_CREATE Customer Write Access For Create POST Customer
GROUPCUSTOMER_UPDATE Customer Write Access For Update PUT Customer
GROUPCUSTOMER_DELETE Customer Delete Access DELETE Customer
CLIENTRELATIONSHIP_READ Client Relationship GET Client Relationship
CLIENTRELATIONSHIP_CREATE Client Relationship Write Access For Create POST Client Relationship
CLIENTRELATIONSHIP_UPDATE Client Relationship Write Access For Update PUT Client Relationship
QUERY_READ Query Read Access GET Query
QUERY_CREATE, QUERY_UPDATE Query Write Access POST Query
COMPANY_READ Company Read Access GET Company
PRODUCT_READ Product Read Access GET Product
PLAN_READ Plan Read Access GET Plan
SEGMENT_READ Segment Read Access GET Segment
SEGMENT_CREATE Segment Write Access For Create POST Segment
SEGMENT_UPDATE Segment Write Access For Update PUT Segment
ROLE_READ Role Read Access GET Role
ROLE_CREATE Role Write Access For Create POST Role
ROLE_UPDATE Role Write Access For Update PUT Role
SEGMENTROLE_READ Segment Role Read Access GET Segment Role
SEGMENTROLE_CREATE Segment Role Write Access For Create POST Segment Role
SEGMENTROLE_UPDATE Segment Role Write Access For Update PUT SegmentRole
REQUIREMENT_READ Requirement Read Access GET Requirement
REQUIREMENT_CREATE Requirement Write Access For Create POST Requirement
REQUIREMENT_UPDATE Requirement Write Access for Update PUT Requirement
IMPAIRMENT_READ Impairment Read Access GET Impairment
ADDRESS_READ Address Read Access GET Address
ADDRESS_CREATE Address Write Access For Create POST Address
ADDRESS_UPDATE Address Write Access For Update PUT Address
PHONE_READ Phone Read Access GET Phone
PHONE_CREATE Phone Write Access For Create POST Phone
PHONE_UPDATE Phone Write Access For Update PUT Phone
DOMAINS_READ Domains Read Access GET Domains
DOMAINS_CREATE Domains Write Access For Create POST Domains
DOMAINS_UPDATE Domain Update Access For Update PUT Domains
DOMAINS_DELETE Domains Delete Access DELETE Domains
USER_READ User Read Access GET User
USER_CREATE User Write Access For Create POST User
USER_UPDATE User Write Access For Update PUT User
USER_DELETE User Delete Access DELETE User
SECURITYGROUP_READ Security Group Read Access GET SECURITY GROUPS
SECURITYGROUP_CREATE Security Group Write Access For Create POST SECURITY GROUPS
SECURITYGROUP_DELETE Security Group Delete Access DELETE SECURITY GROUPS
USERSECURITYGROUP_READ User Security Group Read Access GET USER SECURITY GROUPS
USERSECURITYGROUP_DELETE User Security Group Delete Access DELETE USER SECURITY GROUPS
SL_ADMIN An administrative privilege which provides the access for FileReceived SOAP web service POST FileReceived
SL_ADMIN An administrative privilege which provides the access for ExposedComputation SOAP web service POST ExposedComputation
SL_ADMIN An administrative privilege which provides the access for ProcessPolicy SOAP web service PUT ProcessPolicy
OUTBOUNDAPPLICATION_READ Get details of given application id and its corresponding security GET Downstream Message Push
OUTBOUNDAPPLICATION_CREATE POST the details of downstream applications and its security POST Downstream Message Push
OUTBOUNDAPPLICATION_UPDATE Updates the details of outbound application security PUT Downstream Message Push
OUTBOUNDAPPLICATION_DELETE Deletes the details of outbound application security DELETE Downstream Message Push