Role Based Access Control

Service Layer authorization model is based on role based access control. Roles and Policies will be defined for each service and that will determine the access privilege a user or a group of users would have in the system. RBAC is made of four elements:

• Roles - Bring Users, Groups, Policies together. Roles define what users can do with a resource.
• Users - Principal that is requesting access to a resource.
• Policies - List of rules that defines access to a resource.
• Resources - Things you want to grant access to.

Role Definition for Service Layer

The roles defined for Service Layer will be per service rather than per resource. Roles by service means that each service will define roles required to access that particular service. For instance, a Policy Service will define roles that will be used by Segments and Roles with-in that policy. The roles are not defined by resources or entities. Since segments and policy roles can not be accessed outside the context of a policy.

Role Name	Role Description	Role Privilege	Role Association
SL_ADMIN	Service Layer Administrator	Permit All	All Services
POLICY_READ	Policy Read Access	GET	Policy
POLICY_CREATE	Policy Write Access For Create	POST	Policy
POLICY_UPDATE	Policy Write Access For Update	PUT	Policy
POLICY_DELETE	Policy Delete Access	DELETE	Policy
CLIENT_READ	Client Read Access	GET	Client
CLIENT_CREATE	Client Write Access For Create	POST	Client
CLIENT_UPDATE	Client Write Access For Update	PUT	Client
CLIENT_DELETE	Client Delete Access	DELETE	Client
CASE_READ	Case Read Access	GET	Case
CASE_CREATE	Case Write Access For Create	POST	Case
CASE_UPDATE	Case Write Access For Update	PUT	Case
CASE_DELETE	Case Delete Access	DELETE	Case
GROUPCUSTOMER_READ	Customer Read Access	GET	Customer
GROUPCUSTOMER_CREATE	Customer Write Access For Create	POST	Customer
GROUPCUSTOMER_UPDATE	Customer Write Access For Update	PUT	Customer
GROUPCUSTOMER_DELETE	Customer Delete Access	DELETE	Customer
CLIENTRELATIONSHIP_READ	Client Relationship	GET	Client Relationship
CLIENTRELATIONSHIP_CREATE	Client Relationship Write Access For Create	POST	Client Relationship
CLIENTRELATIONSHIP_UPDATE	Client Relationship Write Access For Update	PUT	Client Relationship
CLIENTRELATIONSHIP_DELETE	Client Relationship Delete Access	DELETE	Client Relationship
QUERY_READ	Query Read Access	GET	Query
QUERY_CREATE, QUERY_UPDATE	Query Write Access	POST	Query
QUERY_DELETE	Query Delete Access	DELETE	Query
COMPANY_READ	Company Read Access	GET	Company
PRODUCT_READ	Product Read Access	GET	Product
PLAN_READ	Plan Read Access	GET	Plan
SEGMENT_READ	Segment Read Access	GET	Segment
SEGMENT_CREATE	Segment Write Access For Create	POST	Segment
SEGMENT_UPDATE	Segment Write Access For Update	PUT	Segment
SEGMENT_DELETE	Segment Delete Access	DELETE	Segment
ROLE_READ	Role Read Access	GET	Role
ROLE_CREATE	Role Write Access For Create	POST	Role
ROLE_UPDATE	Role Write Access For Update	PUT	Role
ROLE_DELETE	Role Delete Access	DELETE	Role
SEGMENTROLE_READ	Segment Role Read Access	GET	Segment Role
SEGMENTROLE_CREATE	Segment Role Write Access For Create	POST	Segment Role
SEGMENTROLE_UPDATE	Segment Role Write Access For Update	PUT	Segment Role
SEGMENTROLE_DELETE	Segment Role Delete Access	DELETE	Segment Role
REQUIREMENT_READ	Requirement Read Access	GET	Requirement
REQUIREMENT_CREATE	Requirement Write Access For Create	POST	Requirement
REQUIREMENT_UPDATE	Requirement Write Access For Update	PUT	Requirement
REQUIREMENT_DELETE	Requirement Delete Access	DELETE	Requirement
IMPAIRMENT_READ	Impairment Read Access	GET	Impairment
ADDRESS_READ	Address Read Access	GET	Address
ADDRESS_CREATE	Address Write Access For Create	POST	Address
ADDRESS_UPDATE	Address Write Access For Update	PUT	Address
ADDRESS_DELETE	Address Delete Access	DELETE	Address
PHONE_READ	Phone Read Access	GET	Phone
PHONE_CREATE	Phone Write Access For Create	POST	Phone
PHONE_UPDATE	Phone Write Access For Update	PUT	Phone
PHONE_DELETE	Phone Delete Access	DELETE	Phone
DOMAINS_READ	Allowed Domains Read access	GET	DOMAINS_READ
DOMAINS_CREATE	Allowed Domains Access For Create	POST	DOMAINS_CREATE
DOMAINS_UPDATE	Allowed Domains Access For Update	PUT	DOMAINS_UPDATE
DOMAINS_DELETE	Allowed Domains Delete Access	DELETE	DOMAINS_DELETE
REQUIREMENTRESULT_READ	RequirementResult Read Access	GET	RequirementResult
REQUIREMENTRESULT_CREATE	RequirementResult Write Access For Create	POST	RequirementResult
REQUIREMENTRESULT_UPDATE	RequirementResult Write Access For Update	PUT	RequirementResult
REQUIREMENTRESULT_PATCH	RequirementResult Patch Access	PATCH	RequirementResult
SUSPENSE_READ	Suspense Read Access	GET	Suspense
SUSPENSE_CREATE	Suspense Write Access For Create	POST	Suspense
SUSPENSE_UPDATE	Suspense Write Access For Update	PUT	Suspense
SUSPENSE_PATCH	Suspense Patch Access	PATCH	Suspense
WITHHOLDING_READ	Policy Withholding Read Access	GET	Policy Withholding
WITHHOLDING_CREATE	Policy Withholding Write Access For Create	POST	Policy Withholding
WITHHOLDING_UPDATE	Policy Withholding Write Access For Update	PUT	Policy Withholding
WITHHOLDING_PATCH	Policy Withholding Write Access For Patch	PATCH	Policy Withholding
WORKFLOWTASK_READ	WorkflowTask Read Access	GET	WorkflowTask
WORKFLOWTASK_CREATE	WorkflowTask Write Access For Create	POST	WorkflowTask
WORKFLOWTASK_UPDATE	WorkflowTask Write Access For Update	PUT	WorkflowTask
WORKFLOWTASK_PATCH	WorkflowTask Write Access For Patch	PATCH	WorkflowTask
RATEGROUP_READ	Rate Group Read Access	GET	Rate Group
RATEGROUP_CREATE	Rate Group Write Access For Create	POST	Rate Group
RATEGROUP_UPDATE	Rate Group Write Access For Update	PUT	Rate Group
RATEGROUP_PATCH	Rate Group Write Access For Patch	PATCH	Rate Group
RATE_READ	Rate Read Access	GET	Rate
RATE_CREATE	Rate Write Access For Create	POST	Rate
RATE_UPDATE	Rate Write Access For Update	PUT	Rate
RATE_PATCH	Rate Write Access For Patch	PATCH	Rate
RATE_DELETE	Rate Delete Access	DELETE	Rate
RATEGROUPRELATIONSHIP_READ	Rate Group Relationship Read Access	GET	Rate Group Relationship
RATEGROUPRELATIONSHIP_CREATE	Rate Group Relationship Write Access For Create	POST	Rate Group Relationship
RATEGROUPRELATIONSHIP_UPDATE	Rate Group Relationship Write Access For Update	PUT	Rate Group Relationship
RATEGROUPRELATIONSHIP_PATCH	Rate Group Relationship Write Access For Patch	PATCH	Rate Group Relationship
RATEGROUPRELATIONSHIP_DELETE	Rate Group Relationship Delete Access	DELETE	Rate Group Relationship
POLICY_PATCH	Policy Patch Access	PATCH	Policy
SEGMENT_PATCH	Segment Patch Access	PATCH	Segment
ROLE_PATCH	Role Patch Access	PATCH	Role
SEGMENTROLE_PATCH	SegmentRole Patch Access	PATCH	SegmentRole
REQUIREMENT_PATCH	Requirement Patch Access	PATCH	Requirement
CLIENT_PATCH	Client Patch Access	PATCH	Client
ADDRESS_PATCH	Address Patch Access	PATCH	Address
PHONE_PATCH	Phone Patch Access	PATCH	Phone
CASE_PATCH	Case Patch Access	PATCH	Case
GROUPCUSTOMER_PATCH	GroupCustomer Patch Access	PATCH	GroupCustomer
USER_PATCH	User Patch Access	PATCH	User
SECURITYGROUP_PATCH	SecurityGroup Patch Access	PATCH	SecurityGroup
DOMAINS_PATCH	Domain Patch Access	PATCH	Domain
OUTBOUNDAPPLICATION_PATCH	JMSOutboundApplication Patch Access	PATCH	JMSOutboundApplication
OUTBOUNDAPPLICATION_PATCH	SoapOutboundApplication Patch Access	PATCH	SoapOutboundApplication
OUTBOUNDAPPLICATION_PATCH	RestOutboundApplication Patch Access	PATCH	RestOutboundApplication
OUTBOUNDSECURITY_PATCH	JmsSecurity Patch Access	PATCH	JmsSecurity
OUTBOUNDSECURITY_PATCH	SoapSecurity Patch Access	PATCH	SoapSecurity
OUTBOUNDSECURITY_PATCH	RestSecurity Patch Access	PATCH	RestSecurity

In TomEE since there is no UI and it is driven only through configuration, we need to add these Users, Roles in tomcat-users.xml in the conf directory.

Adding Roles

We need to add the required roles by using <role> tag in tomcat-users.xml file.

User and Roles Configuration

Example:

<role rolename="SL_ADMIN" />

<user username="<User Name>" password="<must-be-changed>" roles="role1"/>

All the roles which are required need to be added using the above syntax.

Adding Users and Roles association

Users and the Roles association can be using the <Users> tag in the same file.

User created in Application server realm should be same as user created in Rules Palette for application security.

For example, user with access to search or create policy in OIPA, can perform the CRUD operation (GET/POST/PUT/DELETE) on /policies API.

Similarly user with only search access for OIPA application can perform GET operation on /policies API ( Applies to all the APIs supported for the current release).

Though user has access to ADMIN role (SL_ADMIN) in application server realm, the API will return response as Unauthorized if the user does not have authorization from the palette for a specific entity.