How to use Thing::EA_System::EA_Security

Post Reply
Stepan Karandin
Posts: 17
Joined: 24 Jul 2017, 11:41

Hi everyone.
We are successfully raise the multiuser installation and would like to establish role-based access to repository.
I see EA_security classes:
- EA_Content_Classification
- EA_User

Also, there are slots at the classes:
system_security_edit_classification
system_security_read_classification

I've just done:
0. Create at metaproject two users: Jon.Snow and King.Arthur
1. Create two EA_Content_classification: Enterprise and Business
2. Create two users: Jon.Snow and King.Arthur
3. Assign both EA_Content_classification to King.Arthur and no one to Jon.Snow
4. Create Business_Principle and assign system_security_edit_classification and system_security_read_classification as Business

Expected behaviour: Jon.Snow knows nothing, King is able to read and edit Business_Principle

Existing: both Jon.Snow and King are able to read and edit Business_Principle

What I'm doing wrong? How to force access control options to work at model level?
User avatar
jonathan.carter
Posts: 1087
Joined: 04 Feb 2009, 15:44

Hi Stepan,

Thanks for posting.

These security classes are primarily intended to be used by the Essential Cloud platform, which provides very fine-grained security and access control.

Using Protege in the open-source edition, these are not used or observed whilst editing the repository. Protege simply doesn’t support these constructs.

We took the decision to maintain a single version of the Essential Meta Model across the open-source and the Cloud versions and there are a number of advantages to this.

Within Essential Cloud, there are actually 2 security models working together. The first, role-based approach is quite simple to use and controls what people can do, functionally within the application, e.g. edit content in the repository. Then, to control access to the content within a repository and published versions of it within Essential Viewers, we have a fine-grained security model based on the concept of security classifications (of Classes, Instances, Slots) and security clearance levels (for users).

Jonathan
Essential Project Team
Stepan Karandin
Posts: 17
Joined: 24 Jul 2017, 11:41

Thanks for explanation, Jon

We have Protégé server + Essential viewer. We could control Protégé content by policy. But we have to provide security for Viewer.
Do the Open-source Viewer has this functionality? It seems to me we can modify xPath queries at views but I'd like to know your strategy roadmap and release plans.
KarenM
Posts: 14
Joined: 21 May 2018, 04:22

Hi,

On Essential cloud is there a way to set the security based on the value in one of the slots.
For example for an Composite Provider - if the Lifecycle status = "Production" and the External Repository Instance Reference = "xxxxx: ID1234" then set the security for the following slots to be read only - ID, Name, Description, codebase, software version ...

Does this use the System Security Edit Classification?

regards
Karen
User avatar
jonathan.carter
Posts: 1087
Joined: 04 Feb 2009, 15:44

Hi Karen,

You can use the classifications to secure access to Views, Classes, Slots on a Class or Instances and make these to control whether a user can EDIT or READ (or a combination!) those elements.

However, I think what you're describing is to go further and apply classifications dynamically based on the values of particular slots. I'm going to double-check but I think that this is beyond the current functionality.

Jonathan
Essential Project Team
User avatar
jonathan.carter
Posts: 1087
Joined: 04 Feb 2009, 15:44

Following up on my last post, the Essential Cloud security framework does not include functionality for rule-based security classifications, driven by specific slot values on instances.

The complexity of using such a scheme is not to be underestimated but we'll add this to the future requirements!

Thanks

Jonathan
Essential Project Team
Post Reply