Security Configuration
Contents
Security Overview
Security is split into two distinct functions: User Authentication and User Authorisation. Authentication is the process of ensuing the provided user credentials match up against a valid user account. Authorisation is the process of ensuring a user is allowed to perform the action they are trying to perform.
The Fusion Registry only provides Authentication services for two types of user; the Fusion Registry Root user, and Fusion Reporting Node users. Authentication for other users are provided by either:
- Fusion Security Web Server
- Active Directory via LDAP
- Apache Tomcat via Certificate Authentication
Once a user is Authenticated, the relevant User Account is loaded into the session, and the Fusion Registry uses its security model and rules to authorise the user is allowed to access the resource.
Authentication
Fusion Security
Active Directory
Certificate
Authorisation
To understand Authorisation, it is important to understand the security model for the Fusion Registry. Each user account links to zero or more Organisations maintained in the Fusion Registry. A user account does not need to link to an Organisation, the account may have administrative permissions, which provides unrestricted access to the product. The Organisation a user account can be linked to falls into one of three categories:
- An Agency
- A Data Provider
- A Data Consumer
An Agency User is able to create, maintain, and delete structures that belong to the Agency, or any of its sub-agencies.
A Data Provider User is able to Registry, or publish data for any datasets the Data Provider has been set up to provide data for via a Provision Agreement. The Fusion Registry can be locked down to only allow Data Providers to see the data they have provided, in this instance data access will be private, restricted to only Admin, Agency, and Data Provider users.
A Data Consumer User has no special privileges provided by default, however they are able to access the Fusion Registry if the product has been set up to enforce login.
In addition to the default authorisation rules, rules may be set up to restrict access to specific structures, datasets, and data points accessed via the Fusion Registry. Specific security rules are applied by linking rules to Security Groups, and then linking Organisations to Security Groups. This is shown in the image below