Upload
balaji-gadi
View
218
Download
0
Embed Size (px)
Citation preview
8/2/2019 Access Control Design
1/42
Product Design Specification
Project: Access-ControlRelease: Fuji
Copyright 2009 Model N, Inc. This information isconfidential and is for internal use only. No part of it maybe circulated, quoted, or reproduced for distributionoutside of the organization without prior written approval.
8/2/2019 Access Control Design
2/42
Product Design Specification Version 1.0 - Draft
Modification History
Revision Date Description
1.0 4/20/09 First draft
4/21/09 Add detail design for rule resolution and rule migration
5/2/09 Complete unit test section
10/9/09 Update
List of Contributors
Name Initials Organization E-mail
Min Zhou MZ Model N, Inc [email protected]
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 2 out of 42
8/2/2019 Access Control Design
3/42
Product Design Specification Version 1.0 - Draft
Table of Contents
1. INTRODUCTION ...................................................................................................................................... 5
1.1 OVERVIEW.................................................................................................................................................... 5
1.2 REQUIREMENTS DOCUMENTS REFERENCE............................................................................................................ 51.3 DESIGN TARGETSAND LIMITS........................................................................................................................... 51.4 DEPENDENCIES.............................................................................................................................................. 5
2. COMMUNITY MODEL OVERVIEW .......................................................................................................... 6
2.1 COMMUNITY ENTITY........................................................................................................................................ 62.2 COMMUNITY EDGE.......................................................................................................................................... 62.3 COMMUNITY STRUCTURE.................................................................................................................................. 6
2.3.1 Community Data Modeling ...................................................................................................................72.4 ACCESS CONTROL.......................................................................................................................................... 7
2.4.1 Access Control Rule .............................................................................................................................72.4.2 User-Role Association ........................................................................................................................122.4.3 Access Control List (ACL) ..................................................................................................................12
3. DESIGN DESCRIPTION .........................................................................................................................14
3.1 POF SUPPORT .......................................................................................................................................... 143.2 ASSOCIATION CHANGESIN ACCESS CONTROL.................................................................................................... 15
3.2.1 Access Control Rule Resolution ........................................................................................................153.3 ROLE/GROUP UI MANAGEMENT...................................................................................................................... 15
3.3.1 Admin Folder Reorganization .............................................................................................................153.3.2 New Role/Group Navigation in Admin Folder ....................................................................................163.3.3 Role/Group Search .............................................................................................................................163.3.4 Role/Group Management...................................................................................................................193.3.5 Role/Group Detail...............................................................................................................................26
3.4 ACCESS CONTROL ENHANCEMENT................................................................................................................... 313.4.1 Depreciate User Association to Report Template ..............................................................................31
3.4.2 Changes of role and access rule content...........................................................................................313.4.3 Remove printrolepriviliages ................................................................................................................31
This requirement was dropped before FCF. ...........................................................................................31
4. MOCK UP .......................................................................................................................................... ....32
4.1 ROLE LEFT NAVIGATIONAND SEARCH.............................................................................................................. 324.2 ROLE DETAIL.............................................................................................................................................. 324.3 ROLE/GROUP CREATION DIALOG..................................................................................................................... 33
5. MIGRATION ....................................................................................................................................... ....34
5.1 ADD ROLE FGO ........................................................................................................................................345.2 FGO CHANGEOF ROLEFROM GROUPTO ROLE ............................................................................................... 34
5.3 DEPRECIATE ACCESS RULESFROM ROLE GROUPSTO CONTAINED ROLES .............................................................. 345.4 REMOVE DIRECT USERS ASSOCIATIONSTO RESOURCES....................................................................................... 35
5.4.1 Direct Associations of Users and Access Rules ................................................................................35
6. EXTERNAL MODULE INTERFACING .................................................................................................. 37
7. TESTING ............................................................................................................................................ ....38
8. BUILD IMPACT ...................................................................................................................................... 39
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 3 out of 42
8/2/2019 Access Control Design
4/42
Product Design Specification Version 1.0 - Draft
9. CUSTOMER IMPACTS ................................................................................................................. ..... ....40
10. OPEN ISSUES ...................................................................................................................... ..... .......... 41
10.1 OPEN TASKS............................................................................................................................................. 4110.1.1 Discuss with report developer for any role query support of role and user access privilege reportdevelopment................................................................................................................................................41
This requirement is dropped. ....................................................................................................................4110.1.2 Work with professional service to get a default set of role resource assignment............................41
10.2 EXTERNAL MODULE INTERFACING .................................................................................................................. 4110.2.1 To support access control history report (stretch goal) revision history needs to be persisted.......41
11. APPENDIX ..........................................................................................................................................42
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 4 out of 42
8/2/2019 Access Control Design
5/42
Product Design Specification Version 1.0 - Draft
1. INTRODUCTION
1.1 Overview
In Model N application accesses of resources are controlled by rulesassociated to roles and users or user groups are assigned with roles forresource access rules.
The access control rules are declared in csv files and populated to systemusing command line tool. This populating process requires to be done athosting server. For large companies, such as Amgen, that operateglobally the process is too cumbersome to meet these companys needsof frequent access control management tasks at geographically distributedorganizations.
To address the issue web browser based administration of access control
will be added in this release. It will provide global admin users capability ofusing browsers to manage roles and associations of roles to users andresources.
Currently users are organized in user groups and roles are attached tousers but not user groups. There is increasing demand from largeenterprises for convenient administration of associating roles to usergroups that have all the users in the group inheriting the role association.Supporting role association to user groups is added to this access controlenhancement.
1.2 Requirements Documents Reference
This design is based on the following requirements documents:
Functional Specification
1.3 Design Targets and Limits
Scalability targets for the role/group:
Name Expected Maximum
Number of Roles 100 500
1.4 Dependencies
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 5 out of 42
http://var/Product/Fuji/Functional%20Specs/Technology/AccessControlFRS.dochttp://var/Product/Fuji/Functional%20Specs/Technology/AccessControlFRS.doc8/2/2019 Access Control Design
6/42
Product Design Specification Version 1.0 - Draft
2. COMMUNITY MODEL OVERVIEW
Community is a concept introduced at Model N platform for the abstractionof enterprise organizational entities and their relationships (edge).
2.1 Community Entity
The community members are composed of user, role, group, customer,membership, alignment, etc. These entities are implemented with FGOsthat extend from Member.
Class diagram at Figure 1 lists all the FGO inheriting from Member.
A new Role FGO is proposed to handle role. Detailed discussionfor the Role FGO will be given later.
CMnMember
CMnAlignmentNode CMnBookOfBusiness CMnGroup CMnMemberSearchResultObjRender
CMnOrganization CMnPlan CMnRealm CMnRoleCMnUserAcct
Figure 1 Class diagram of all the FGOs in community that inherit fromMember
2.2 Community Edge
More than a dozen of edges, such as PART_OF, KIND_OF, are supportedfor these entities. The edge is modeled with FGO CommunityDag and theedge types are declared in parent FGO Dag.
2.3 Community Structure
The community is structured as a Directed Acyclic Graph (DAG). A
simplified (mainly PART_OF edges) DAG diagram is shown in Figure 2 todemonstrate structures of user/group and role/group that come with theModel N application content population. In the diagram entities arerepresented as nodes and edges as arrows.
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 6 out of 42
8/2/2019 Access Control Design
7/42
Product Design Specification Version 1.0 - Draft
Root
ENTE-TYPE
ENTE-ORG
ENTE-REBATES-
TYPE
REBATES-MGR-TYPE
GlobalOrganization
Node
Medtech
Corporation
Admin Group
AliceWonderland
Enterprise OrgGlobal Node
... Global Realm
Global
Integration
Admin Group
Global
IntegrationUser
FGO type:
Group
UserAcct
User Group
User
Role Group
Role
(Modeled with
new Role FGO)
Figure 2 Directed Acyclic Graph (DAG) of example user/group androle/group
2.3.1 Community Data Modeling
Community data model has MN_MEMBER and MN_CMTY_EDGE asbackbone tables modeling entity and edge respectively. Edge recordskeep source and destination ids together with edge type. Oraclehierarchy query supports query along the hierarchy.
2.4 Access Control
2.4.1 Access Control Rule
Access control rule(these circled by Access Control Rule in Figure 3) ismodeled by FGO AccessRule that has association of
role/group
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 7 out of 42
8/2/2019 Access Control Design
8/42
Product Design Specification Version 1.0 - Draft
resource
action
plugin (allow/deny).
user
userGroup
**
role
*
*
resource
1
*
action
**
*
roleGroup
1
*
parent
*
*
*
Access Control Rule
User-repo
rttemplate
Figure 3 Existing implementation of access control rule and user-roleassociation
2.4.1.1 Role/Group-Resource Association
role association to resource
role group association to resource2.4.1.2 Rule Inheritance at Role and Resource Hierarchies
To get better understanding of access rules with the containmenthierarchy of role and resource a diagram is drawn in Figure 4 todemonstrate rule declarations.
rule inheritance in role/group hierarchy
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 8 out of 42
8/2/2019 Access Control Design
9/42
Product Design Specification Version 1.0 - Draft
Each role group contains one or more roles or role groups. All the rulesassociated to a role group are carried over downwards along the treehierarchy all the way to the leaf node roles. This inheritance providesaccess control management at role group level. That is instead ofdeclaring same rules for all the roles in a group it is convenient to give the
rules to role groups. rule inheritance along resource path containment hierarchy
View
Create, Modify
View
ENTE-TYPE
ENTE-SALES-TYPE
ENTE-MKTG-TYPE
ENTE-ADMIN-TYPE
root
app
pricing contract
pp pl
priceoverride
Figure 4 Example rule declarations at role and resource hierarchies
Summarized access rules for pp and priceoverride
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 9 out of 42
8/2/2019 Access Control Design
10/42
Product Design Specification Version 1.0 - Draft
Resources(path) ENTE-SALES-TYPE
ENTE-MKTG-TYPE
ENTE-ADMIN-TYPE
pp
(root.app.pricing.pp)
view view,
create,modify
view
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 10 out of 42
8/2/2019 Access Control Design
11/42
Product Design Specification Version 1.0 - Draft
priceoverride
(root.app.pricing.pp.priceoverride)
view,create,modify
view
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 11 out of 42
8/2/2019 Access Control Design
12/42
Product Design Specification Version 1.0 - Draft
2.4.2 User-Role Association
user association to role
no user association with role group
no user group association to either role or role group
Users and roles have many to many relationships with KIND_OF edge.This relationship has role drives user access control.
User groups are usually enterprise organization structures for organizingusers. Since roles are associated to users and not user groups, anyorganization structure changes that lead to reorganizing user group haveno impact on user-role associations. And any user moving to differentorganization structure or any assigning user with additional user group hasno change of role association either. It is easy to understand that currentimplementation has roles and responsibilities decoupled fromorg/business structures. Since the role assignments is at user level
declaration of user-role association needs to be done for users one byone. For large organizations this becomes inappropriate for admin workload of declaring and maintaining large number of user-role associations.
2.4.3 Access Control List (ACL)
On login resolved access control rules for logged in user are encapsulatedin an ACL. This resolving process is given in the diagram below:
Find all the associated rules using Oracle hierarchical query by starting with login user to role and role groups along hierarchy
Resolve by removing overridden rules
Figure 5 Existing access control rule resolving process activity diagram
2.4.3.1 Rule Resolving
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 12 out of 42
8/2/2019 Access Control Design
13/42
Product Design Specification Version 1.0 - Draft
Shown in the diagram below a rule is declared as allow ENTE-TYPE toview pp while deny ENTE-SALES-TYPE to view priceoverride. Theconflict rules through inheritance are
resolved by picking up the rule with least number of nodes in thepath
This case has deny overriding allow view
view
viewENTE-TYPE
ENTE-SALES-TYPE
pp
priceoverride
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 13 out of 42
8/2/2019 Access Control Design
14/42
Product Design Specification Version 1.0 - Draft
3. DESIGN DESCRIPTION
3.1 POF Support
As shown in Figure 2 role REBATES-MGR-TYPE belongs to Group. Foreasy implementation and maintenance of UI role management a newFGO, Role, will be introduced. The new role FGO will extend the Memberas it is shown in Figure 1. The role FGO has its own module id and onenew attribute FoldConfigName that stores the properties used to be incommunity property table and persists in the same table mn_member. Inaddition a new attribute, DisplayName, is added to Member FGO and thisattribute is a required attribute for Role FGO. This implementation hasminimum impact to current implementation and requires minimummigration efforts.
Role.xml:
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 14 out of 42
8/2/2019 Access Control Design
15/42
Product Design Specification Version 1.0 - Draft
3.2 Association Changes in Access Control
Following changes are required in this release [FRS Section 3.1 BasicConcepts of User, Group, Role, Resource, UI Elements and AccessPrivileges]
only role association with resources no role group association with resources any more
user group association with roles in stead
no direct user association with resource
user
userGroup
**
role
* *
*
*
resource
1
*
action
* *
*
roleGroup
1
*
parent
Figure 6 New access control rule and user/group role association
3.2.1 Access Control Rule Resolution
The existing rule resolution revolution supports the user PART_OFinheritance hierarchy. At user login time access privileges are obtainedfor the user.
Additional testing scenarios that support the new association are added toexisting unit tests for the rule resolution.
3.3 Role/Group UI Management3.3.1 Admin Folder Reorganization
Rename Users and Territories to Users and Organizations.
Add a new node Management next to Users and Organizationsand move Nodes and Locks and Jobs and Job Queue to beunder Management.
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 15 out of 42
8/2/2019 Access Control Design
16/42
Product Design Specification Version 1.0 - Draft
3.3.2 New Role/Group Navigation in Admin Folder
Add a new Roles folder (new role icon) as a child of Users andOrganizations.
The Role folder is the root of role and role group tree hierarchy
3.3.3 Role/Group Search
Create a new search role model ent-role for the implementation ofrole search.
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 16 out of 42
8/2/2019 Access Control Design
17/42
Product Design Specification Version 1.0 - Draft
Type Search Criteria Field Type
Role Display Name Text
Associated user/group User/group chooser dialog
Associated resource Text
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 17 out of 42
8/2/2019 Access Control Design
18/42
Product Design Specification Version 1.0 - Draft
Role Group Display Name Text
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 18 out of 42
8/2/2019 Access Control Design
19/42
Product Design Specification Version 1.0 - Draft
3.3.4 Role/Group Management
3.3.4.1 Access Control
The role management is restricted to system admin. Following resource
and control rules will be added.
Resources.csv
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 19 out of 42
8/2/2019 Access Control Design
20/42
Product Design Specification Version 1.0 - Draft
root.app.cmty.role, Resource to configure the ability to create or modify role
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 20 out of 42
8/2/2019 Access Control Design
21/42
Product Design Specification Version 1.0 - Draft
AccessControls.csv
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 21 out of 42
8/2/2019 Access Control Design
22/42
Product Design Specification Version 1.0 - Draft
ENTE-ADMIN-TYPE,CREATE,root.app.cmty.role,allow
ENTE-ADMIN-TYPE,MODIFY,root.app.cmty.role,allow
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 22 out of 42
8/2/2019 Access Control Design
23/42
Product Design Specification Version 1.0 - Draft
3.3.4.2 Create New Role/Group
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 23 out of 42
8/2/2019 Access Control Design
24/42
Product Design Specification Version 1.0 - Draft
AttributeName
Type Required Uniqueness
Name String Yes Yes
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 24 out of 42
8/2/2019 Access Control Design
25/42
Product Design Specification Version 1.0 - Draft
Display Name String Yes Yes
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 25 out of 42
8/2/2019 Access Control Design
26/42
Product Design Specification Version 1.0 - Draft
Instantiate and persist Group or Role FGO
Instantiate and persist CommunityDag to associate the role/groupFGO to parent group with a PART_OF type.
3.3.4.3 Delete Role/Group
Delete role/group FGO and edges to parents (Only empty rolegroups allowed to be deleted).
Delete its associations of users and access rules for role.
.A pop up dialog requesting user confirm before removal actually happens.
3.3.4.4 Copy Role
Use FGO deep copy utility.
Copy all existing resources and access privileges of the selected
role to the new role.The default group is the same as the original one. A different role group
can be chosen by browsing a dialog role group hierarchy.
The default role name is role-name-COPY. If role-name-COPY exists inthe system already, COPY# is used.
3.3.4.5 Export Role and Access Rules
Data flow AccessrulefromEjbql in both default and global are created forexporting the roles and access rules. Export file is in csv format. Thegroup, role and rule formats are the same as these used in thecorresponding population contents.
3.3.4.6 Import Role and Resource Associations
The CommunityReader and AccessControlReader for populating rolesand access control rules will be based for the implementation of importingroles and rules from exported CSV file. Changes in this dataflow areneeded for persisting role with FGO Role instead of Group. The changesapply to the command line populating of access control contents.
3.3.5 Role/Group Detail
3.3.5.1 Title Bar
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 26 out of 42
8/2/2019 Access Control Design
27/42
Product Design Specification Version 1.0 - Draft
Type Title Bar Label
Role Role
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 27 out of 42
8/2/2019 Access Control Design
28/42
Product Design Specification Version 1.0 - Draft
Role Group Role Group
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 28 out of 42
8/2/2019 Access Control Design
29/42
Product Design Specification Version 1.0 - Draft
3.3.5.2 Role Navigation
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 29 out of 42
8/2/2019 Access Control Design
30/42
Product Design Specification Version 1.0 - Draft
Type Pages Description Task Panel
Role General Role detail in edit mode. Save
Copy
Users andGroups
A selection list of all theassociated users anduser groups with theirtypes.
User/group names link touser details.
Add button for addinguser or user groupassociations.
Delete button for
removing user or usergroup associations.
AccessRules(stretch goal)
A selection list of all theassociated resourcesand description andactions.
Add button for addingrule.
Delete button forremoving rules.
RoleGroup
General Role group detail in editmode
Save
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 30 out of 42
8/2/2019 Access Control Design
31/42
Product Design Specification Version 1.0 - Draft
Children A list of all the roles inthe group
Role names link to roledetail.
New button for creatingnew role.
Delete button for deletingroles.
3.4 Access Control Enhancement
3.4.1 Depreciate User Association to Report Template
In previous releases report template access control allows users
associated to template for access. This direct association of users toresources is inconsistent to the general rule association mechanism. Withthe introduction of role management UI managing user rights to reporttemplates can be easily done by declaring rules for the templates and thenassociating roles to users.
both direct user and role group association should be depreciatedby removing user and user group and disable role group selectionat the tree of configuration dialog.
3.4.2 Changes of role and access rule content
The role and access control rules are declared in csv files and populatedto system using command line tool. With the introduction of Role FGOand depreciation of role group-resource association the contents changesare needed. This involves using migrating 5.3.2 contents and exportingthe roles and rules. The exported roles and rules are used to update thecontents.
3.4.3 Remove printrolepriviliages
This requirement was dropped before FCF.
Two utilities printaccessrules.sh and printrolepriviliages.sh do the similar
things of printing out access control rules. The former has the print outordered by resource and the latter ordered by role.
drop the printrolepriviliages.sh by removing printrolepriviliages.shand class com.modeln.tools.dev.CMnPrintRolePrivileges
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 31 out of 42
8/2/2019 Access Control Design
32/42
Product Design Specification Version 1.0 - Draft
4. MOCK UP
4.1 Role Left Navigation and Search
The role search is for display name not for name. Enhancement of search forboth name and display name will be considered in the future release.
4.2 Role Detail
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 32 out of 42
8/2/2019 Access Control Design
33/42
Product Design Specification Version 1.0 - Draft
4.3 Role/Group Creation Dialog
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 33 out of 42
8/2/2019 Access Control Design
34/42
Product Design Specification Version 1.0 - Draft
5. MIGRATION
5.1 Add Role FGO
Role is new FGO introduced in this release. The FGO got to be added atmigration.
5.2 FGO Change of Role from Group to Role
Roles are modeled as group in the previous releases. With the Role FGOintroduced in this release to support role management migration got toconvert roles to role FGO. The conversion requires migration script to findall the leaf nodes under enterprise role root and change module id(mgr_id) from group FGO to role one in db for these role records.
5.3 Depreciate Access Rules from Role Groups to Contained Roles
The access control rules associated to role groups need to be inheriteddown the containment hierarchy by all the roles contained by the groups.The migration process is given in the activity diagram in Figure 8
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 34 out of 42
8/2/2019 Access Control Design
35/42
Product Design Specification Version 1.0 - Draft
Find a list of associated rules to role and role groups up hierarchy
[Loop for each role]
[Finish Looping]
Delete all the rules associated to groups
Resolve by removing overridden rules
Copy rules associated to groups (level>0) to create rules associated to role
Figure 8 Rule migration activity diagram
5.4 Remove Direct Users Associations to Resources
5.4.1 Direct Associations of Users and Access Rules
Report templates support users associated to templates for accessingthese templates in previous releases. This support is depreciated in thisrelease. All the user associations to report templates become obsolete
and are misleading to display at report template access control page.Migration script to remove the associations is required. The script willremove all direct user associations to access rules.
A role group MIGRATION-ROLE-GROUP-TYPE is added as parents ofall the new roles in this migration.
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 35 out of 42
8/2/2019 Access Control Design
36/42
Product Design Specification Version 1.0 - Draft
Create a new role and associate the role to the report template with the access rule
[Loop for each report template in the list]
[Finish Looping]
Delete the direct associations of users to the report template
Assign the role to all the users associated to the report template of the same rule
Find all direct associations of user and report template
Figure 9 Activity diagram for the process of migrating direct association ofusers and access control rules
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 36 out of 42
8/2/2019 Access Control Design
37/42
Product Design Specification Version 1.0 - Draft
6. EXTERNAL MODULE INTERFACING
Role is pivotal part of access control management. Resource accesscontrol is configured by creating rules with role, resource path and action.
For supporting UI access control configuration search of roles with rolename, role display name and role group criteria are required. This searchrequirement is fulfilled by the new role query given at section 3.3.3. TheMock Up at section 4.1 shows the role name and role group criteria atrole/group search.
Role and user access privilege report development might need role/groupqueries. Will discuss with developer later on this and this is listed as anopen issue.
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 37 out of 42
8/2/2019 Access Control Design
38/42
Product Design Specification Version 1.0 - Draft
7. TESTING
There are existing unit tests for access control rule entry and accesscontrol rule. New test scenarios will be added for the testing of user group
association to roles and rule inheritance resolution. These changes will beadded to the following unit test:
com.modeln.infr.access.rule.test.CMnTestAccessRuleMgr.java
com.modeln.infr.access.test.CMnTestAccessControlMgr.java
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 38 out of 42
8/2/2019 Access Control Design
39/42
Product Design Specification Version 1.0 - Draft
8. BUILDIMPACT
No build impact expected
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 39 out of 42
8/2/2019 Access Control Design
40/42
Product Design Specification Version 1.0 - Draft
9. CUSTOMER IMPACTS
Since report templates will have all the user associations removed onmigration new roles should be created and assigned to the users and
associated with the templates. Customers could see users in the reporttemplate access control page are replaced with roles. Detail is given inmigration section.
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 40 out of 42
8/2/2019 Access Control Design
41/42
Product Design Specification Version 1.0 - Draft
10. OPENISSUES
10.1 Open Tasks
10.1.1 Discuss with report developer for any role query support of role and useraccess privilege report development.
This requirement is dropped.
10.1.2 Work with professional service to get a default set of role resourceassignment.
ENTE-SYS-ADMIN-TYPE is used to consolidate ENTE-IT-ADMIN-TYPE and ENTE-REP-ADMIN-TYPE.
10.2 External Module Interfacing
10.2.1 To support access control history report (stretch goal) revision historyneeds to be persisted.
This is postponed for possible future release.
Copyright 2009 Model N, Inc. Project: Access-Control 10/9/2009
Proprietary and Confidential Release: Fuji 41 out of 42
8/2/2019 Access Control Design
42/42
Product Design Specification Version 1.0 - Draft
11. APPENDIX