cd-rite
commented
3 weeks ago Role-Based Access Control (RBAC) components
1. Grant
Grant = Collection + User/Group + Role (formerly Access Level)
User collision
- select any User Grant over any Group Grant(s).
- when User matched by multiple Groups, select Grant with highest priority Role. Apply role collision rule on ties.Role collision
- merge ACL resources and on Asset/STIG access collision select lowest access. 2. Role
Role = Review ACL + Privileges + Priority
3. Review ACL
ACL = List of Rules
Rule = Resource (unique per list) + Access
Resource (resolves to list of Asset/STIG)
- collection (all Assets and their mapped STIGs)
- asset (this Asset and its mapped STIGs)
- stig (this STIG and its mapped Assets)
- label (all Assets with this Label and their mapped STIGs)Access (defined from lowest to highest)
- none (allowed for Restricted role only)
- read
- read/write Asset/STIG collisions
- the most specific resource is selected.Access collisions
- lowest access is selected.4. Privileges
Collection
- modify
- deleteGrant
- create owner
- create non-owner
- modify owner
- modify non-owner
- delete owner
- delete non-ownerAsset
- create
- modify
- deleteSTIG
- map
- unmapLabel
- create
- modify
- delete
- map
- unmap5. Built-in Roles
For the built-in Roles:
- Each Role has a default Review ACL rule which cannot be removed.
- For all Roles, the Review ACL can be extended.
- Privileges cannot be modified or extended.
| Priority | Role | Default ACL rule | Privileges: Collection | Privileges: Grant | Privileges: Asset | Privileges: Label | Privileges: STIG |
|---|---|---|---|---|---|---|---|
| 4 | Owner | read/write | modify delete |
create owner, modify owner, delete owner, create non-owner, modify non-owner, delete non-owner |
create modify delete |
create modify delete map unmap |
map unmap |
| 3 | Manage | read/write | modify | create non-owner, modify non-owner, delete non-owner |
create modify delete |
create modify delete map unmap |
map unmap |
| 2 | Full | read/write | none | none | none | none | none |
| 1 | Restricted | none | none | none | none | none | none |
This issue is a WIP.
Collection Grants are being reimplemented. The reimplementation will more clearly distinguish Collection Privileges and Collection Access.
Collection Roles will enable sets of Collection Privileges, and have a default Access Control List. Access control lists will specify which Assets/STIGs a user has access to, with which privileges (R/RW/none).
More info here (will be moved to this issue soon): https://github.com/NUWCDIVNPT/stig-manager/issues/322#issuecomment-2110482330 (Read-Only Access) Additional feature requests that will be considered for this issue: https://github.com/NUWCDIVNPT/stig-manager/issues/849 (Consider adding accept/reject as an access level, rather than a collection-level privilege?) https://github.com/NUWCDIVNPT/stig-manager/issues/852 (Should be satisfied by user groups) https://github.com/NUWCDIVNPT/stig-manager/issues/729 ("dynamic" grants by label/asset/stig) https://github.com/NUWCDIVNPT/stig-manager/issues/1182 (user groups) https://github.com/NUWCDIVNPT/stig-manager/issues/863 (new ACL builder interface)
UI will require many changes. New reports and assignment interfaces. Assets/STIGs in Dashboard will probably need indicators to User indicating if they have R/RW/None access. Should accept/reject status be considered part of "access" rather than collection privilege?