Fusion Security Manager (FR V11)

From Fusion Registry Wiki
Revision as of 02:16, 8 February 2023 by Mnelson (talk | contribs) (Created page with "Category:RegistrySecurity = Overview = The Security model in Fusion Registry 11 was enhanced to reflect the need to support more complex use cases around securing informa...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search


Overview

The Security model in Fusion Registry 11 was enhanced to reflect the need to support more complex use cases around securing information in the Registry.

Authorization permissions are now maintained in a separate web User Interface called Fusion Security Manager. This User Interface enables the creations of Groups, and the creation of authorization rules which explicitly permit or deny a security group access to a resource.

The default behaviour of Fusion Registry 11 is to make everything private. In order to make structures and data public, specific security rules must be defined to grant access.

The following topics discuss each aspect of security in Fusion Registry 11.

Security Groups

The Fusion Security Manager enables Groups to be defined. Fusion Registry no longer supports assigning users to Groups, instead it will get the Group information from the Authentication service, for example Active Directory supports assigning Groups to users, and the Fusion Registry will map any Group that the AD User belongs to, with it's own Groups. In short, if the AD Group ID matches a Group ID in the Fusion Security Manager, then the Fusion Registry user assumes that Group. The user can be long to one or more Groups.

By default there is a Group called 'Public'. This Group can not be deleted, and all users belong to the Public Group, even if they are not logged into the system. The Public Group provides a mechanism for granting unrestricted access to resources.

When security rules are defined, they either grant an Allow permission, or a Deny permission. It is important to note that a Deny permission implicitly allows all other Groups. When rules are checked against a specific user, the user will be granted access if they belong to at least one Group that has permission


The following table describes this behaviour with specific examples:

User Group(s) Security Rule(s) Outcome
Public - none defined - The user can not see the resource as the default behaviour is to deny access
Public Allow Public The user can see the resource
Public, G1 Deny Public The user can see the resource. Deny Public implicitly allows all other Groups, the user belongs to Group G1 which grants them access
Public, G1 Deny G1 The user can see the resource. Deny G1 implicitly allows all other Groups, the user belongs to Group Public which grants them access
Public, G1 Allow G1 The user can see the resource as they belong to one of the Groups that has been given permission to the resource
Public Allow G1 The user can not see the resource as they do not belong to the Group which is allowed to see the resource
Public, G1 Allow G1, Deny Public The can see the resource as belong to the Group G1 which is allowed to see the resource

Security Admin

The Security Admin page of Fusion Security Manager enables a user to be granted specific permissions for administering parts of the Fusion Registry. The Security