Access Control Design

8/2/2019 Access Control Design

1/42

Product Design Specification

Project: Access-ControlRelease: Fuji

Copyright 2009 Model N, Inc. This information isconfidential and is for internal use only. No part of it maybe circulated, quoted, or reproduced for distributionoutside of the organization without prior written approval.


2/42

Product Design Specification Version 1.0 - Draft

Modification History

Revision Date Description

1.0 4/20/09 First draft

4/21/09 Add detail design for rule resolution and rule migration

5/2/09 Complete unit test section

10/9/09 Update

List of Contributors

Name Initials Organization E-mail

Min Zhou MZ Model N, Inc [email protected]

Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009

Proprietary and Confidential Release: Fuji 2 out of 42


3/42


Table of Contents

1. INTRODUCTION ...................................................................................................................................... 5

1.1 OVERVIEW.................................................................................................................................................... 5

1.2 REQUIREMENTS DOCUMENTS REFERENCE............................................................................................................ 51.3 DESIGN TARGETSAND LIMITS........................................................................................................................... 51.4 DEPENDENCIES.............................................................................................................................................. 5

2. COMMUNITY MODEL OVERVIEW .......................................................................................................... 6

2.1 COMMUNITY ENTITY........................................................................................................................................ 62.2 COMMUNITY EDGE.......................................................................................................................................... 62.3 COMMUNITY STRUCTURE.................................................................................................................................. 6

2.3.1 Community Data Modeling ...................................................................................................................72.4 ACCESS CONTROL.......................................................................................................................................... 7

2.4.1 Access Control Rule .............................................................................................................................72.4.2 User-Role Association ........................................................................................................................122.4.3 Access Control List (ACL) ..................................................................................................................12

3. DESIGN DESCRIPTION .........................................................................................................................14

3.1 POF SUPPORT .......................................................................................................................................... 143.2 ASSOCIATION CHANGESIN ACCESS CONTROL.................................................................................................... 15

3.2.1 Access Control Rule Resolution ........................................................................................................153.3 ROLE/GROUP UI MANAGEMENT...................................................................................................................... 15

3.3.1 Admin Folder Reorganization .............................................................................................................153.3.2 New Role/Group Navigation in Admin Folder ....................................................................................163.3.3 Role/Group Search .............................................................................................................................163.3.4 Role/Group Management...................................................................................................................193.3.5 Role/Group Detail...............................................................................................................................26

3.4 ACCESS CONTROL ENHANCEMENT................................................................................................................... 313.4.1 Depreciate User Association to Report Template ..............................................................................31

3.4.2 Changes of role and access rule content...........................................................................................313.4.3 Remove printrolepriviliages ................................................................................................................31

This requirement was dropped before FCF. ...........................................................................................31

4. MOCK UP .......................................................................................................................................... ....32

4.1 ROLE LEFT NAVIGATIONAND SEARCH.............................................................................................................. 324.2 ROLE DETAIL.............................................................................................................................................. 324.3 ROLE/GROUP CREATION DIALOG..................................................................................................................... 33

5. MIGRATION ....................................................................................................................................... ....34

5.1 ADD ROLE FGO ........................................................................................................................................345.2 FGO CHANGEOF ROLEFROM GROUPTO ROLE ............................................................................................... 34

5.3 DEPRECIATE ACCESS RULESFROM ROLE GROUPSTO CONTAINED ROLES .............................................................. 345.4 REMOVE DIRECT USERS ASSOCIATIONSTO RESOURCES....................................................................................... 35

5.4.1 Direct Associations of Users and Access Rules ................................................................................35

6. EXTERNAL MODULE INTERFACING .................................................................................................. 37

7. TESTING ............................................................................................................................................ ....38

8. BUILD IMPACT ...................................................................................................................................... 39




4/42


9. CUSTOMER IMPACTS ................................................................................................................. ..... ....40

10. OPEN ISSUES ...................................................................................................................... ..... .......... 41

10.1 OPEN TASKS............................................................................................................................................. 4110.1.1 Discuss with report developer for any role query support of role and user access privilege reportdevelopment................................................................................................................................................41

This requirement is dropped. ....................................................................................................................4110.1.2 Work with professional service to get a default set of role resource assignment............................41

10.2 EXTERNAL MODULE INTERFACING .................................................................................................................. 4110.2.1 To support access control history report (stretch goal) revision history needs to be persisted.......41

11. APPENDIX ..........................................................................................................................................42




5/42


1. INTRODUCTION

1.1 Overview

In Model N application accesses of resources are controlled by rulesassociated to roles and users or user groups are assigned with roles forresource access rules.

The access control rules are declared in csv files and populated to systemusing command line tool. This populating process requires to be done athosting server. For large companies, such as Amgen, that operateglobally the process is too cumbersome to meet these companys needsof frequent access control management tasks at geographically distributedorganizations.

To address the issue web browser based administration of access control

will be added in this release. It will provide global admin users capability ofusing browsers to manage roles and associations of roles to users andresources.

Currently users are organized in user groups and roles are attached tousers but not user groups. There is increasing demand from largeenterprises for convenient administration of associating roles to usergroups that have all the users in the group inheriting the role association.Supporting role association to user groups is added to this access controlenhancement.

1.2 Requirements Documents Reference

This design is based on the following requirements documents:

Functional Specification

1.3 Design Targets and Limits

Scalability targets for the role/group:

Name Expected Maximum

Number of Roles 100 500

1.4 Dependencies


http://var/Product/Fuji/Functional%20Specs/Technology/AccessControlFRS.dochttp://var/Product/Fuji/Functional%20Specs/Technology/AccessControlFRS.doc


6/42


2. COMMUNITY MODEL OVERVIEW

Community is a concept introduced at Model N platform for the abstractionof enterprise organizational entities and their relationships (edge).

2.1 Community Entity

The community members are composed of user, role, group, customer,membership, alignment, etc. These entities are implemented with FGOsthat extend from Member.

Class diagram at Figure 1 lists all the FGO inheriting from Member.

A new Role FGO is proposed to handle role. Detailed discussionfor the Role FGO will be given later.

CMnMember

CMnAlignmentNode CMnBookOfBusiness CMnGroup CMnMemberSearchResultObjRender

CMnOrganization CMnPlan CMnRealm CMnRoleCMnUserAcct

Figure 1 Class diagram of all the FGOs in community that inherit fromMember

2.2 Community Edge

More than a dozen of edges, such as PART_OF, KIND_OF, are supportedfor these entities. The edge is modeled with FGO CommunityDag and theedge types are declared in parent FGO Dag.

2.3 Community Structure

The community is structured as a Directed Acyclic Graph (DAG). A

simplified (mainly PART_OF edges) DAG diagram is shown in Figure 2 todemonstrate structures of user/group and role/group that come with theModel N application content population. In the diagram entities arerepresented as nodes and edges as arrows.




7/42


Root

ENTE-TYPE

ENTE-ORG

ENTE-REBATES-

TYPE

REBATES-MGR-TYPE

GlobalOrganization

Node

Medtech

Corporation

Admin Group

AliceWonderland

Enterprise OrgGlobal Node

... Global Realm

Global

Integration

Admin Group

Global

IntegrationUser

FGO type:

Group

UserAcct

User Group

User

Role Group

Role

(Modeled with

new Role FGO)

Figure 2 Directed Acyclic Graph (DAG) of example user/group androle/group

2.3.1 Community Data Modeling

Community data model has MN_MEMBER and MN_CMTY_EDGE asbackbone tables modeling entity and edge respectively. Edge recordskeep source and destination ids together with edge type. Oraclehierarchy query supports query along the hierarchy.

2.4 Access Control

2.4.1 Access Control Rule

Access control rule(these circled by Access Control Rule in Figure 3) ismodeled by FGO AccessRule that has association of

role/group




8/42


resource

action

plugin (allow/deny).

user

userGroup

**

role

*

*

resource

1

*

action

**

*

roleGroup

1

*

parent

*

*

*

Access Control Rule

User-repo

rttemplate

Figure 3 Existing implementation of access control rule and user-roleassociation

2.4.1.1 Role/Group-Resource Association

role association to resource

role group association to resource2.4.1.2 Rule Inheritance at Role and Resource Hierarchies

To get better understanding of access rules with the containmenthierarchy of role and resource a diagram is drawn in Figure 4 todemonstrate rule declarations.

rule inheritance in role/group hierarchy




9/42


Each role group contains one or more roles or role groups. All the rulesassociated to a role group are carried over downwards along the treehierarchy all the way to the leaf node roles. This inheritance providesaccess control management at role group level. That is instead ofdeclaring same rules for all the roles in a group it is convenient to give the

rules to role groups. rule inheritance along resource path containment hierarchy

View

Create, Modify

View

ENTE-TYPE

ENTE-SALES-TYPE

ENTE-MKTG-TYPE

ENTE-ADMIN-TYPE

root

app

pricing contract

pp pl

priceoverride

Figure 4 Example rule declarations at role and resource hierarchies

Summarized access rules for pp and priceoverride




10/42


Resources(path) ENTE-SALES-TYPE

ENTE-MKTG-TYPE

ENTE-ADMIN-TYPE

pp

(root.app.pricing.pp)

view view,

create,modify

view




11/42


priceoverride

(root.app.pricing.pp.priceoverride)

view,create,modify

view




12/42


2.4.2 User-Role Association

user association to role

no user association with role group

no user group association to either role or role group

Users and roles have many to many relationships with KIND_OF edge.This relationship has role drives user access control.

User groups are usually enterprise organization structures for organizingusers. Since roles are associated to users and not user groups, anyorganization structure changes that lead to reorganizing user group haveno impact on user-role associations. And any user moving to differentorganization structure or any assigning user with additional user group hasno change of role association either. It is easy to understand that currentimplementation has roles and responsibilities decoupled fromorg/business structures. Since the role assignments is at user level

declaration of user-role association needs to be done for users one byone. For large organizations this becomes inappropriate for admin workload of declaring and maintaining large number of user-role associations.

2.4.3 Access Control List (ACL)

On login resolved access control rules for logged in user are encapsulatedin an ACL. This resolving process is given in the diagram below:

Find all the associated rules using Oracle hierarchical query by starting with login user to role and role groups along hierarchy

Resolve by removing overridden rules

Figure 5 Existing access control rule resolving process activity diagram

2.4.3.1 Rule Resolving




13/42


Shown in the diagram below a rule is declared as allow ENTE-TYPE toview pp while deny ENTE-SALES-TYPE to view priceoverride. Theconflict rules through inheritance are

resolved by picking up the rule with least number of nodes in thepath

This case has deny overriding allow view

view

viewENTE-TYPE

ENTE-SALES-TYPE

pp

priceoverride




14/42


3. DESIGN DESCRIPTION

3.1 POF Support

As shown in Figure 2 role REBATES-MGR-TYPE belongs to Group. Foreasy implementation and maintenance of UI role management a newFGO, Role, will be introduced. The new role FGO will extend the Memberas it is shown in Figure 1. The role FGO has its own module id and onenew attribute FoldConfigName that stores the properties used to be incommunity property table and persists in the same table mn_member. Inaddition a new attribute, DisplayName, is added to Member FGO and thisattribute is a required attribute for Role FGO. This implementation hasminimum impact to current implementation and requires minimummigration efforts.

Role.xml:




15/42


3.2 Association Changes in Access Control

Following changes are required in this release [FRS Section 3.1 BasicConcepts of User, Group, Role, Resource, UI Elements and AccessPrivileges]

only role association with resources no role group association with resources any more

user group association with roles in stead

no direct user association with resource

user

userGroup

**

role

* *

*

*

resource

1

*

action

* *

*

roleGroup

1

*

parent

Figure 6 New access control rule and user/group role association

3.2.1 Access Control Rule Resolution

The existing rule resolution revolution supports the user PART_OFinheritance hierarchy. At user login time access privileges are obtainedfor the user.

Additional testing scenarios that support the new association are added toexisting unit tests for the rule resolution.

3.3 Role/Group UI Management3.3.1 Admin Folder Reorganization

Rename Users and Territories to Users and Organizations.

Add a new node Management next to Users and Organizationsand move Nodes and Locks and Jobs and Job Queue to beunder Management.




16/42


3.3.2 New Role/Group Navigation in Admin Folder

Add a new Roles folder (new role icon) as a child of Users andOrganizations.

The Role folder is the root of role and role group tree hierarchy

3.3.3 Role/Group Search

Create a new search role model ent-role for the implementation ofrole search.




17/42


Type Search Criteria Field Type

Role Display Name Text

Associated user/group User/group chooser dialog

Associated resource Text




18/42


Role Group Display Name Text




19/42


3.3.4 Role/Group Management

3.3.4.1 Access Control

The role management is restricted to system admin. Following resource

and control rules will be added.

Resources.csv




20/42


root.app.cmty.role, Resource to configure the ability to create or modify role




21/42


AccessControls.csv




22/42


ENTE-ADMIN-TYPE,CREATE,root.app.cmty.role,allow

ENTE-ADMIN-TYPE,MODIFY,root.app.cmty.role,allow




23/42


3.3.4.2 Create New Role/Group




24/42


AttributeName

Type Required Uniqueness

Name String Yes Yes




25/42


Display Name String Yes Yes




26/42


Instantiate and persist Group or Role FGO

Instantiate and persist CommunityDag to associate the role/groupFGO to parent group with a PART_OF type.

3.3.4.3 Delete Role/Group

Delete role/group FGO and edges to parents (Only empty rolegroups allowed to be deleted).

Delete its associations of users and access rules for role.

.A pop up dialog requesting user confirm before removal actually happens.

3.3.4.4 Copy Role

Use FGO deep copy utility.

Copy all existing resources and access privileges of the selected

role to the new role.The default group is the same as the original one. A different role group

can be chosen by browsing a dialog role group hierarchy.

The default role name is role-name-COPY. If role-name-COPY exists inthe system already, COPY# is used.

3.3.4.5 Export Role and Access Rules

Data flow AccessrulefromEjbql in both default and global are created forexporting the roles and access rules. Export file is in csv format. Thegroup, role and rule formats are the same as these used in thecorresponding population contents.

3.3.4.6 Import Role and Resource Associations

The CommunityReader and AccessControlReader for populating rolesand access control rules will be based for the implementation of importingroles and rules from exported CSV file. Changes in this dataflow areneeded for persisting role with FGO Role instead of Group. The changesapply to the command line populating of access control contents.

3.3.5 Role/Group Detail

3.3.5.1 Title Bar




27/42


Type Title Bar Label

Role Role




28/42


Role Group Role Group




29/42


3.3.5.2 Role Navigation




30/42


Type Pages Description Task Panel

Role General Role detail in edit mode. Save

Copy

Users andGroups

A selection list of all theassociated users anduser groups with theirtypes.

User/group names link touser details.

Add button for addinguser or user groupassociations.

Delete button for

removing user or usergroup associations.

AccessRules(stretch goal)

A selection list of all theassociated resourcesand description andactions.

Add button for addingrule.

Delete button forremoving rules.

RoleGroup

General Role group detail in editmode

Save




31/42


Children A list of all the roles inthe group

Role names link to roledetail.

New button for creatingnew role.

Delete button for deletingroles.

3.4 Access Control Enhancement

3.4.1 Depreciate User Association to Report Template

In previous releases report template access control allows users

associated to template for access. This direct association of users toresources is inconsistent to the general rule association mechanism. Withthe introduction of role management UI managing user rights to reporttemplates can be easily done by declaring rules for the templates and thenassociating roles to users.

both direct user and role group association should be depreciatedby removing user and user group and disable role group selectionat the tree of configuration dialog.

3.4.2 Changes of role and access rule content

The role and access control rules are declared in csv files and populatedto system using command line tool. With the introduction of Role FGOand depreciation of role group-resource association the contents changesare needed. This involves using migrating 5.3.2 contents and exportingthe roles and rules. The exported roles and rules are used to update thecontents.

3.4.3 Remove printrolepriviliages

This requirement was dropped before FCF.

Two utilities printaccessrules.sh and printrolepriviliages.sh do the similar

things of printing out access control rules. The former has the print outordered by resource and the latter ordered by role.

drop the printrolepriviliages.sh by removing printrolepriviliages.shand class com.modeln.tools.dev.CMnPrintRolePrivileges




32/42


4. MOCK UP

4.1 Role Left Navigation and Search

The role search is for display name not for name. Enhancement of search forboth name and display name will be considered in the future release.

4.2 Role Detail




33/42


4.3 Role/Group Creation Dialog




34/42


5. MIGRATION

5.1 Add Role FGO

Role is new FGO introduced in this release. The FGO got to be added atmigration.

5.2 FGO Change of Role from Group to Role

Roles are modeled as group in the previous releases. With the Role FGOintroduced in this release to support role management migration got toconvert roles to role FGO. The conversion requires migration script to findall the leaf nodes under enterprise role root and change module id(mgr_id) from group FGO to role one in db for these role records.

5.3 Depreciate Access Rules from Role Groups to Contained Roles

The access control rules associated to role groups need to be inheriteddown the containment hierarchy by all the roles contained by the groups.The migration process is given in the activity diagram in Figure 8




35/42


Find a list of associated rules to role and role groups up hierarchy

[Loop for each role]

[Finish Looping]

Delete all the rules associated to groups

Resolve by removing overridden rules

Copy rules associated to groups (level>0) to create rules associated to role

Figure 8 Rule migration activity diagram

5.4 Remove Direct Users Associations to Resources

5.4.1 Direct Associations of Users and Access Rules

Report templates support users associated to templates for accessingthese templates in previous releases. This support is depreciated in thisrelease. All the user associations to report templates become obsolete

and are misleading to display at report template access control page.Migration script to remove the associations is required. The script willremove all direct user associations to access rules.

A role group MIGRATION-ROLE-GROUP-TYPE is added as parents ofall the new roles in this migration.




36/42


Create a new role and associate the role to the report template with the access rule

[Loop for each report template in the list]

[Finish Looping]

Delete the direct associations of users to the report template

Assign the role to all the users associated to the report template of the same rule

Find all direct associations of user and report template

Figure 9 Activity diagram for the process of migrating direct association ofusers and access control rules




37/42


6. EXTERNAL MODULE INTERFACING

Role is pivotal part of access control management. Resource accesscontrol is configured by creating rules with role, resource path and action.

For supporting UI access control configuration search of roles with rolename, role display name and role group criteria are required. This searchrequirement is fulfilled by the new role query given at section 3.3.3. TheMock Up at section 4.1 shows the role name and role group criteria atrole/group search.

Role and user access privilege report development might need role/groupqueries. Will discuss with developer later on this and this is listed as anopen issue.




38/42


7. TESTING

There are existing unit tests for access control rule entry and accesscontrol rule. New test scenarios will be added for the testing of user group

association to roles and rule inheritance resolution. These changes will beadded to the following unit test:

com.modeln.infr.access.rule.test.CMnTestAccessRuleMgr.java

com.modeln.infr.access.test.CMnTestAccessControlMgr.java




39/42


8. BUILDIMPACT

No build impact expected




40/42


9. CUSTOMER IMPACTS

Since report templates will have all the user associations removed onmigration new roles should be created and assigned to the users and

associated with the templates. Customers could see users in the reporttemplate access control page are replaced with roles. Detail is given inmigration section.




41/42


10. OPENISSUES

10.1 Open Tasks

10.1.1 Discuss with report developer for any role query support of role and useraccess privilege report development.

This requirement is dropped.

10.1.2 Work with professional service to get a default set of role resourceassignment.

ENTE-SYS-ADMIN-TYPE is used to consolidate ENTE-IT-ADMIN-TYPE and ENTE-REP-ADMIN-TYPE.

10.2 External Module Interfacing

10.2.1 To support access control history report (stretch goal) revision historyneeds to be persisted.

This is postponed for possible future release.




42/42


11. APPENDIX