search

gchq / event-logging-schema

Event Logging is an XML Schema for describing the auditable events generated by computer systems, hardware devices and access control systems
Apache License 2.0
25 stars 6 forks source link

Support other permission types #76

Closed at055612 closed 5 months ago

at055612 commented 2 years ago

Currently we have the following which limits the permission types granted to an enumerated list. We need to be able to support other types.

            <xs:element name="Permission" minOccurs="1" maxOccurs="unbounded">
              <xs:annotation>
                <xs:documentation>A permission rule associated with an object, e.g. read and write access being granted to a user.</xs:documentation>
              </xs:annotation>
              <xs:complexType>
                <xs:annotation>
                  <xs:documentation>A permission rule associated with an object, e.g. read and write access being granted to a user.</xs:documentation>
                </xs:annotation>
                <xs:sequence minOccurs="1" maxOccurs="1">
                  <xs:choice minOccurs="1" maxOccurs="1">
                    <xs:element name="User" type="evt:UserComplexType" minOccurs="1" maxOccurs="1">
                      <xs:annotation>
                        <xs:documentation>A user that has been granted (or is prevented from having) some form of permission.</xs:documentation>
                      </xs:annotation>
                    </xs:element>
                    <xs:element name="Group" type="evt:GroupComplexType" minOccurs="1" maxOccurs="1">
                      <xs:annotation>
                        <xs:documentation>A named group of users that has been granted (or is prevented from having) some form of permission.</xs:documentation>
                      </xs:annotation>
                    </xs:element>
                  </xs:choice>
                  <xs:element name="Allow" type="evt:PermissionAttributeSimpleType" minOccurs="0" maxOccurs="unbounded">
                    <xs:annotation>
                      <xs:documentation>The permission attributes that have been explicitly allowed.</xs:documentation>
                    </xs:annotation>
                  </xs:element>
                  <xs:element name="Deny" type="evt:PermissionAttributeSimpleType" minOccurs="0" maxOccurs="unbounded">
                    <xs:annotation>
                      <xs:documentation>The permission attributes that have been explicitly denied.</xs:documentation>
                    </xs:annotation>
                  </xs:element>
                </xs:sequence>
              </xs:complexType>
            </xs:element>

  <xs:simpleType name="PermissionAttributeSimpleType">
    <xs:annotation>
      <xs:documentation>The types of permission that can be assigned to an entity such as a document.</xs:documentation>
    </xs:annotation>
    <xs:restriction base="xs:string">
      <xs:enumeration value="Author"/>
      <xs:enumeration value="Owner"/>
      <xs:enumeration value="Read"/>
      <xs:enumeration value="Write"/>
      <xs:enumeration value="Execute"/>
    </xs:restriction>
  </xs:simpleType>

To avoid breaking the validation for existing documents the suggestion is to change the enum to regex pattern that will allow for other custom permission names. If we use the pattern ^(Author|Owner|Read|Write|Executor|Other: .*)$ then we can have values like:

<Allow>Owner</Allow>
<Allow>Other: Create Pipeline</Allow>
<Allow>Other: Create Folder</Allow>

The downside to this is that we lose the Java enum in the jaxb library, but it will still be enforced with schema validation.

at055612 commented 5 months ago

Fixed in 4.1.0 by using a Data element