NUWCDIVNPT
Create a Read-Only role for Collection Grants
Users have expressed desire to provide read-only access to Collections. Would provide visibility at the "Full" level, without ability to modify reviews.
Option: Should this be a modifier applied to an existing Grant or a new type of Grant?
Question: Could/should a Restricted user have Grants in a collection that allows them to modify specific STIG/Asset assignments, but overall Read-Only access to a collection?
Question: Does/should the Client check that the user token includes the scopes it requested?
Note:
Overall Read-Only access for the whole app can already be accomplished by assigning appropriate Scopes (ie. just the :read ones) .
Could the restricted access grant be used with some additional options in manage user access to implement this? Seems like the interface is there to support something like this. Restricted Read Access is what I am currently thinking.
Yes. I'll post a followup comment with the initial design specification we are developing against. It supports User Groups and a configurable Review ACL for all roles, not only Restricted. The ACL rules will support an access property whose value is from the set none,read, read/write. The design is still subject to minor changes.
Role-Based Access Control (RBAC) components
1. Grant
Grant = Collection + User/Group + Role (formerly Access Level)
User collision
- select any User Grant over any Group Grant(s).
- when User matched by multiple Groups, select Grant with highest priority Role. Apply role collision rule on ties.
Role collision
- merge ACL resources and on Asset/STIG access collision select lowest access.
2. Role
Role = Review ACL + Privileges + Priority
3. Review ACL
ACL = List of Rules
Rule = Resource (unique per list) + Access
Resource (resolves to list of Asset/STIG)
- collection (all Assets and their mapped STIGs)
- asset (this Asset and its mapped STIGs)
- stig (this STIG and its mapped Assets)
- label (all Assets with this Label and their mapped STIGs)
Access (defined from lowest to highest)
- none (allowed for Restricted role only)
- read
- read/write
Asset/STIG collisions
- the most specific resource is selected.
Access collisions
- lowest access is selected.
4. Privileges
Collection
- modify
- delete
Grant
- create owner
- create non-owner
- modify owner
- modify non-owner
- delete owner
- delete non-owner
Asset
- create
- modify
- delete
STIG
- map
- unmap
Label
- create
- modify
- delete
- map
- unmap
5. Built-in Roles
For the built-in Roles:
- Each Role has a default Review ACL rule which cannot be removed.
- For all Roles, the Review ACL can be extended.
- Privileges cannot be modified or extended.
| Priority | Role | Default ACL rule | Privileges: Collection | Privileges: Grant | Privileges: Asset | Privileges: Label | Privileges: STIG |
|---|---|---|---|---|---|---|---|
| 4 | Owner | read/write | modify delete |
create owner, modify owner, delete owner, create non-owner, modify non-owner, delete non-owner |
create modify delete |
create modify delete map unmap |
map unmap |
| 3 | Manage | read/write | modify | create non-owner, modify non-owner, delete non-owner |
create modify delete |
create modify delete map unmap |
map unmap |
| 2 | Full | read/write | none | none | none | none | none |
| 1 | Restricted | none | none | none | none | none | none |