Difference between revisions of "Security Configuration"
(→Authentication) |
(→Authorisation) |
||
Line 27: | Line 27: | ||
== Authorisation == | == Authorisation == | ||
− | To understand Authorisation, it is important to understand the security model for the Fusion Registry. Each user account links to zero or more [[Organisations]] maintained in the Fusion Registry. The Organisation a user account can be linked to falls into one of three categories: | + | To understand Authorisation, it is important to understand the security model for the Fusion Metadata Registry. Each user account links to zero or more [[Organisations]] maintained in the Fusion Metadata Registry. The Organisation a user account can be linked to falls into one of three categories: |
# An [[Agency]] | # An [[Agency]] | ||
# A [[Data Provider]] | # A [[Data Provider]] | ||
Line 34: | Line 34: | ||
A user account may have '''administrative''' privileges, which allows the user unrestricted access to any information in the product, including access to the configuration settings of the product. | A user account may have '''administrative''' privileges, which allows the user unrestricted access to any information in the product, including access to the configuration settings of the product. | ||
− | A '''Agency''' user is able to create, maintain, and delete structures that belong to the Agency, or any of its sub-agencies | + | A '''Agency''' user is able to create, maintain, and delete structures that belong to the Agency, or any of its sub-agencies. |
− | A '''Data Provider''' user is able to | + | A '''Data Provider''' user is able to validate and convert datasets the Data Provider has been set up to provide data for via a [[Provision Agreement]]. |
− | A '''Data Consumer''' user has no special privileges provided by default, however they are able to access the | + | A '''Data Consumer''' user has no special privileges provided by default, however they are able to access the Registry if the product has been set up to [[enforce login]]. |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
== Root User == | == Root User == |
Revision as of 09:04, 19 January 2021
Security is split into two distinct functions: User Authentication and User Authorisation. Authentication is the process of ensuing the provided user credentials match up against a valid user account. Authorisation is the process of ensuring a user is allowed to perform the action they are trying to perform.
The Fusion Metadata Registry only provides Authentication services for two types of user; the Fusion Metadata Registry Root user. Authentication for other users are provided by either:
- Fusion Security Web Server
- Active Directory using the LDAP protocol
- Apache Tomcat via Certificate Authentication
Once a user is Authenticated, the relevant User Account is loaded into the session, and the Fusion Registry uses its security model and rules to authorise the user is allowed to access the resource.
Contents
Authentication
An Authentication Service is required to verify the provided credentials and to provide the Fusion Metadata Registry with information about the user. There are two ways a user can provide credentials to the Fusion Metadata Registry, username and password using Basic Authentication, or Certificate Authentication.
Username and Password authentication requires an authentication service to be running which can be used to verify the credentials. This external authentication service may be Fusion Security or Active Directory, the two authentication services are mutually exclusive - the Fusion Metadata Registry can only be configured to use one of these services.
After the Authentication process, the Fusion Metadata Registry must Authorise the user to access the resources. This is achieved by the Fusion Metadata Registry linking the user's account to one or more Organisations, this link is achieved in different ways depending on the Authentication mechanism.
Fusion Security
If the Authentication Service is Fusion Security, then the Fusion Security server will verify the user credentials and return the user account details to the Fusion Metadata Registry, including which Organisations the user belongs to. No additional configuration is required in the Fusion Metadata Registry.
Active Directory
If Active Directory is used as an Authentication server, then the Common Name (CN) is used to authenticate with the server. The CN is mapped in the Fusion Metadata Registry to one or more Organisations. To learn more about how to map users to Active Directory, please refer to this article.
Certificate
If Certificate Authentication is used, then the Common Name (CN) of the certificate mapped in the Fusion Metadata Registry to one or more Organisations.
Authorisation
To understand Authorisation, it is important to understand the security model for the Fusion Metadata Registry. Each user account links to zero or more Organisations maintained in the Fusion Metadata Registry. The Organisation a user account can be linked to falls into one of three categories:
- An Agency
- A Data Provider
- A Data Consumer
A user account may have administrative privileges, which allows the user unrestricted access to any information in the product, including access to the configuration settings of the product.
A Agency user is able to create, maintain, and delete structures that belong to the Agency, or any of its sub-agencies.
A Data Provider user is able to validate and convert datasets the Data Provider has been set up to provide data for via a Provision Agreement.
A Data Consumer user has no special privileges provided by default, however they are able to access the Registry if the product has been set up to enforce login.
Root User
Fusion Registry provides a single root user account, where the credentials are stored locally (not in an external authentication service). The Fusion Registry authenticates the root user, and as such the root user is always able to log into the product should the external authentication service become inaccessible.
It is not a requirement to set up an external authentication service, or use certificate authentication, it is perfectly valid to run the Fusion Registry with only a root user account. Root user has unrestricted access to the product, and as such security rules do not apply to the root user.