Security

[fleXive] implements an access control list based approach to security combined with roles. Since handling access permissions on a per user basis would result in tremendous amounts of data, [fleXive] checks permissions based on access control lists on a per user group basis. User accounts can be assigned to any number of user groups and if in rare cases an explicit user based security is needed, the use of one group for each user is recommended.

User accounts are stored in the database and consist basically of the login name together with a hashed password of the assigned groups and roles. For more information about accounts see the section called “User Management”.

Authentication is currently performed against the database by calling FxContext.login(..) (or as an alternative directly using AccountEngine.login(..)). JAAS based login can be implemented very easily by uncommenting some code in LoginLogoutHandler. It is planned to make this configurable in future versions of [fleXive].

At the core and web layer (provided they run in the same virtual machine) a context is available which is stored in a ThreadLocal called FxContext which provides amongst others the following information:

  • getDivisionId(): number of the current division

  • getLanguage(): the current users preferred language

  • getTicket(): the current users UserTicket instance

The UserTicket is the central class providing information about the current user ranging from the user name, mandator, user group memberships, assigned roles to all access control lists the user belongs to indirectly. Hence it serves as the central authorization data provider for any security check performed.

[fleXive] was designed to be used by application service providers (ASP) with only one deployed enterprise application instance using multiple databases. These database instances are called Divisions and contain their own accounts, structures and content - totally separated from other users of [fleXive].

Divisions are mapped to server names using regular expressions. A web based user interface is provided by the Global Configuration Plugin.

Mandators are - contrary to divisions - not transparent to the user but a means of separating accounts and data. Data can be shared between mandators by assigning user groups from multiple mandators to access control lists. Transfer of data between mandators is a planned upcoming feature of [fleXive]. An example when mandators should be used is e.g. to model different departments of a larger company.

Access control lists - which are assigned to user groups - define a list (Read, Edit, Create, etc.) of permissions attached to an arbitrary object like content instances, types, properties (and property assignments) or select lists. See this article on Wikipedia for more information about access control lists. For the purpose of easier organization and logical grouping [fleXive] categorizes ACL's into the following groups:

  • Instance: Attached to content instances.

  • Structure: Attached to types, properties and property assignments.

  • Workflow: Attached to workflow steps.

  • Briefcase: Attached to briefcases, to allow sharing them among different users.

  • Selectlist: Attached to select lists, the only relevant permission is Create to allow users to create new items for that list.

  • Selectlist Item: Attached to selectlist items, to restrict visibility.

Each access control list allows setting the following permissions independently: Read, Edit, Create, Delete, Relate and Export.

Roles can be assigned individually to users and groups. Every user (or account) is eligible to use any role assigned to the user or any group he belongs to. It is considered best practice to assign roles to groups and only in very rare cases (e.g. flagging someone as a global supervisor) should the role assignments be done on an individual (per user) basis.

[fleXive] provides the following roles:

  • GlobalSupervisor: no restrictions at all.

  • MandatorSupervisor: may do everything for "his" mandator

  • ACLManagement: create/update/delete ACL's for "his" mandator

  • AccountManagement: create/update/delete users, groups and roles (may only add roles he is assigned himself, may not alter assigned roles that he has not assigned himself) for "his" mandator. Everybody may read user and group informations (of course no passwords which are hashed anyways), but only for his own mandators unless he is a global supervisor.

  • SelectListEditor: may see the user interface to edit selectlist items (role entitles to no CRUD rights!), actual permissions are taken from the select lists createItemACL

  • WorkflowManagement: create/update/delete steps and workflows for "his" mandator

  • StructureManagement: create/update/delete types, relations, groups, properties, assignments and selectlists and assign scripts to structures for "his" mandator

  • ScriptManagement: create/update/delete scripts

  • ScriptExecution: execute scripts that can be run "standalone" (i.e. not triggered by events)

  • BackendAccess: may login to the backend (does not imply any rights)