Role-Based Access Control (tomcat-users.xml)
The service Layer authorization model is based on role-based access control. Roles and Policies will be defined for each service and that will determine the access privilege a user or a group of users would have in the system. RBAC is made of four elements:
-
Roles - Bring Users, Groups, and Policies together. Roles define what users can do with a resource.
-
Users - Principal that is requesting access to a resource.
-
Policies - List of rules that define access to a resource.
-
Resources - Things you want to grant access to.
Role Definition for Service Layer
The roles defined for the Service Layer will be per service rather than per resource. Roles by service means that each service will define roles required to access that particular service. For instance, a Policy Service will define roles that will be used by Segments and Roles within that policy. The roles are not defined by resources or entities. Since segments and policy roles can not be accessed outside the context of a policy.
| Role Name | Role Description | Role Privilege | Role Association |
|
SL_ADMIN |
Service Layer Administrator |
Permit All |
All Services |
|
POLICY_READ |
Policy Read Access |
GET |
Policy |
|
POLICY_CREATE |
Policy Write Access For Create |
POST |
Policy |
|
POLICY_UPDATE |
Policy Write Access For Update |
PUT |
Policy |
|
POLICY_DELETE |
Policy Delete Access |
DELETE |
Policy |
|
CLIENT_READ |
Client Read Access |
GET |
Client |
|
CLIENT_CREATE |
Client Write Access For Create |
POST |
Client |
|
CLIENT_UPDATE |
Client Write Access For Update |
PUT |
Client |
|
CLIENT_DELETE |
Client Delete Access |
DELETE |
Client |
|
CASE_READ |
Case Read Access |
GET |
Case |
|
CASE_CREATE |
Case Write Access For Create |
POST |
Case |
|
CASE_UPDATE |
Case Write Access For Update |
PUT |
Case |
|
CASE_DELETE |
Case Delete Access |
DELETE |
Case |
|
GROUPCUSTOMER_READ |
Customer Read Access |
GET |
Customer |
|
GROUPCUSTOMER_CREATE |
Customer Write Access For Create |
POST |
Customer |
|
GROUPCUSTOMER_UPDATE |
Customer Write Access For Update |
PUT |
Customer |
|
GROUPCUSTOMER_DELETE |
Customer Delete Access |
DELETE |
Customer |
|
CLIENTRELATIONSHIP_READ |
Client Relationship |
GET |
Client Relationship |
|
CLIENTRELATIONSHIP_CREATE |
Client Relationship Write Access For Create |
POST |
Client Relationship |
|
CLIENTRELATIONSHIP_UPDATE |
Client Relationship Write Access For Update |
PUT |
Client Relationship |
|
CLIENTRELATIONSHIP_DELETE |
Client Relationship Delete Access |
DELETE |
Client Relationship |
|
QUERY_READ |
Query Read Access |
GET |
Query |
|
QUERY_CREATE, QUERY_UPDATE |
Query Write Access |
POST |
Query |
|
QUERY_DELETE |
Query Delete Access |
DELETE |
Query |
|
COMPANY_READ |
Company Read Access |
GET |
Company |
|
PRODUCT_READ |
Product Read Access |
GET |
Product |
|
PLAN_READ |
Plan Read Access |
GET |
Plan |
|
SEGMENT_READ |
Segment Read Access |
GET |
Segment |
|
SEGMENT_CREATE |
Segment Write Access For Create |
POST |
Segment |
|
SEGMENT_UPDATE |
Segment Write Access For Update |
PUT |
Segment |
|
SEGMENT_DELETE |
Segment Delete Access |
DELETE |
Segment |
|
ROLE_READ |
Role Read Access |
GET |
Role |
|
ROLE_CREATE |
Role Write Access For Create |
POST |
Role |
|
ROLE_UPDATE |
Role Write Access For Update |
PUT |
Role |
|
ROLE_DELETE |
Role Delete Access |
DELETE |
Role |
|
SEGMENTROLE_READ |
Segment Role Read Access |
GET |
Segment Role |
|
SEGMENTROLE_CREATE |
Segment Role Write Access For Create |
POST |
Segment Role |
|
SEGMENTROLE_UPDATE |
Segment Role Write Access For Update |
PUT |
SegmentRole |
|
SEGMENTROLE_DELETE |
Segment Role Delete Access |
DELETE |
Segment Role |
|
REQUIREMENT_READ |
Requirement Read Access |
GET |
Requirement |
|
REQUIREMENT_CREATE |
Requirement Write Access For Create |
POST |
Requirement |
|
REQUIREMENT_UPDATE |
Requirement Write Access For Update |
PUT |
Requirement |
|
REQUIREMENT_DELETE |
Requirement Delete Access |
DELETE |
Requirement |
|
IMPAIRMENT_READ |
Impairment Read Access |
GET |
Impairment |
|
ADDRESS_READ |
Address Read Access |
GET |
Address |
|
ADDRESS_CREATE |
Address Write Access For Create |
POST |
Address |
|
ADDRESS_UPDATE |
Address Write Access For Update |
PUT |
Address |
|
ADDRESS_DELETE |
Address Delete Access |
DELETE |
Address |
|
PHONE_READ |
Phone Read Access |
GET |
Phone |
|
PHONE_CREATE |
Phone Write Access For Create |
POST |
Phone |
|
PHONE_UPDATE |
Phone Write Access For Update |
PUT |
Phone |
|
PHONE_DELETE |
Phone Delete Access |
DELETE |
Phone |
|
DOMAINS_READ |
Allowed Domains Read access |
GET |
DOMAINS_READ |
|
DOMAINS_CREATE |
Allowed Domains Access For Create |
POST |
DOMAINS_CREATE |
|
DOMAINS_UPDATE |
Allowed Domains Access For Update |
PUT |
DOMAINS_UPDATE |
|
DOMAINS_DELETE |
Allowed Domains Delete Access |
DELETE |
DOMAINS_DELETE |
| REQUIREMENTRESULT_READ | RequirementResult Read Access | GET | RequirementResult |
| REQUIREMENTRESULT_CREATE | RequirementResult Write Access For Create | POST | RequirementResult |
| REQUIREMENTRESULT_UPDATE | RequirementResult Write Access For Update | PUT | RequirementResult |
| REQUIREMENTRESULT_PATCH | RequirementResult Patch Access | PATCH | RequirementResult |
| SUSPENSE_READ | Suspense Read Access | GET | Suspense |
| SUSPENSE_CREATE | Suspense Write Access For Create | POST | Suspense |
| SUSPENSE_UPDATE | Suspense Write Access For Update | PUT | Suspense |
| SUSPENSE_PATCH | Suspense Patch Access | PATCH | Suspense |
| WITHHOLDING_READ | Policy Withholding Read Access | GET | Policy Withholding |
| WITHHOLDING_CREATE | Policy Withholding Write Access For Create | POST | Policy Withholding |
| WITHHOLDING_UPDATE | Policy Withholding Write Access For Update | PUT | Policy Withholding |
| WITHHOLDING_PATCH | Policy Withholding Write Access For Patch | PATCH | Policy Withholding |
| WORKFLOWTASK_READ | WorkflowTask Read Access | GET | WorkflowTask |
| WORKFLOWTASK_CREATE | WorkflowTask Write Access For Create | POST | WorkflowTask |
| WORKFLOWTASK_UPDATE | WorkflowTask Write Access For Update | PUT | WorkflowTask |
| WORKFLOWTASK_PATCH | WorkflowTask Write Access For Patch | PATCH | WorkflowTask |
| RATEGROUP_READ | Rate Group Read Access | GET | Rate Group |
| RATEGROUP_CREATE | Rate Group Write Access For Create | POST | Rate Group |
| RATEGROUP_UPDATE | Rate Group Write Access For Update | PUT | Rate Group |
| RATEGROUP_PATCH | Rate Group Write Access For Patch | PATCH | Rate Group |
| RATE_READ | Rate Read Access | GET | Rate |
| RATE_CREATE | Rate Write Access For Create | POST | Rate |
| RATE_UPDATE | Rate Write Access For Update | PUT | Rate |
| RATE_PATCH | Rate Write Access For Patch | PATCH | Rate |
| RATE_DELETE | Rate Delete Access | DELETE | Rate |
| RATEGROUPRELATIONSHIP_READ | Rate Group Relationship Read Access | GET | Rate Group Relationship |
| RATEGROUPRELATIONSHIP_CREATE | Rate Group Relationship Write Access For Create | POST | Rate Group Relationship |
| RATEGROUPRELATIONSHIP_UPDATE | Rate Group Relationship Write Access For Update | PUT | Rate Group Relationship |
| RATEGROUPRELATIONSHIP_PATCH | Rate Group Relationship Write Access For Patch | PATCH | Rate Group Relationship |
| RATEGROUPRELATIONSHIP_DELETE | Rate Group Relationship Delete Access | DELETE | Rate Group Relationship |
| POLICY_PATCH | Policy Patch Access | PATCH | Policy |
| SEGMENT_PATCH | Segment Patch Access | PATCH | Segment |
| ROLE_PATCH | Role Patch Access | PATCH | Role |
| SEGMENTROLE_PATCH | SegmentRole Patch Access | PATCH | SegmentRole |
| REQUIREMENT_PATCH | Requirement Patch Access | PATCH | Requirement |
| CLIENT_PATCH | Client Patch Access | PATCH | Client |
| ADDRESS_PATCH | Address Patch Access | PATCH | Address |
| PHONE_PATCH | Phone Patch Access | PATCH | Phone |
| CASE_PATCH | Case Patch Access | PATCH | Case |
| GROUPCUSTOMER_PATCH | GroupCustomer Patch Access | PATCH | GroupCustomer |
| USER_PATCH | User Patch Access | PATCH | User |
| SECURITYGROUP_PATCH | SecurityGroup Patch Access | PATCH | SecurityGroup |
| DOMAINS_PATCH | Domain Patch Access | PATCH | Domain |
| OUTBOUNDAPPLICATION_PATCH | JMSOutboundApplication Patch Access | PATCH | JMSOutboundApplication |
| OUTBOUNDAPPLICATION_PATCH | SoapOutboundApplication Patch Access | PATCH | SoapOutboundApplication |
| OUTBOUNDAPPLICATION_PATCH | RestOutboundApplication Patch Access | PATCH | RestOutboundApplication |
| OUTBOUNDSECURITY_PATCH | JmsSecurity Patch Access | PATCH | JmsSecurity |
| OUTBOUNDSECURITY_PATCH | SoapSecurity Patch Access | PATCH | SoapSecurity |
| OUTBOUNDSECURITY_PATCH | RestSecurity Patch Access | PATCH | RestSecurity |
In TomEE since there is no UI and this is driven only through configuration, we need to add these Users, Roles in tomcat-users.xml in the conf directory.
Adding Roles
Add the required roles by using the <role> tag in tomcat-users.xml file
User and Roles Configuration
Example:
<role rolename="SL_ADMIN" /><user username="<User Name>" password="<must-be-changed>" roles="role1"/>
All the roles which are required need to be added using the above syntax.
Adding Users and Roles Association
Users and the Roles association can be using the <Users> tag in the same file.
The user created in the Application server realm should be the same as the user created in the Rules Palette for application security.
For example, a user with access to search or create a policy in OIPA can perform the CRUD operation (GET/POST/PUT/DELETE) on /policies API.
Similarly, a user with only search access for the OIPA application can perform GET operation on /policies API ( Applies to all the APIs supported for the current release).
Though the user has access to the ADMIN role (i.e. SL_ADMIN) in the application server realm, the API will return a response as Unauthorized if the user does not have authorization from the palette for a specific entity.
