The permission model in SecurityTrax has changed with our new release. There are new concepts and capabilities that are important to understand in order to ensure users have the desired access. This article will cover these concepts and capabilities as well as provide example on their usage.
- A resource represents an object and its associated properties in the system. An example is a customer or a user. A resource can have related resources, for example a customer can have one or many customer_files.
- Attributes are data points that exist on Resources. For example, a customer resource has the following Attributes (among others): first name, last name, city, state, zip code, sale date, etc.
- Grants describe the actions that are available on resources. A resource can have one or more applicable grants. An example is the customer_file resource has the following grants: view, create, modify, delete.
- Policies determine how resources are made available in the system. They can be used to grant or limit the users’ access to to a particular resource. An example is the customer_file resource has a policy based on creation date. Using this policy it is possible to limit a specific user to only accessing customer_files that were created in the last 30 days. Policies determine which resources a group or user have access to. Policies determine to which resources a group or user have access.
- Group Policy
- A Group Policy is an association between a group and a policy.
- User Policy
- A User Policy provides the ability to override (or append to) the policies applied a user’s assigned group. User Policies are specific to the user and do not effect the groups' policies on a resource.
- Groups are used to define a set of roles, grants, and policies. Groups are then assigned to users to give the necessary access and responsibilities within the system. A user can only be a member of one group at a time.
- Roles define specific responsibilities within the system. Roles help determine who is available for certain types of work. One example is the Sales Rep role. When creating a customer only users who are assigned the Sales Rep role can be assigned as the sales rep on the customer.
SecurityTrax is designed to have a very robust permission model. It allows companies to set fine-tuned access to the system and the information in it. SecurityTrax does not limit companies to predefined access levels like administrator, sales rep, or technician manager. While we do provide samples they are only in the system to serve as a jump start and are intended to be modified as needed.
At the core of the permission model is a group. Groups allow you to build up a set of grants, policies, and roles. Once the group has been setup with the desired settings it can be assigned to users. Users can only have one group assigned at a time. Once a group has been assigned to a user all of the settings (grants, policies, and roles) will apply to the user.
If finer-tuned access is required for a user than the group provides then user policies can be applied directly on the user. A user policy can either override the group policies or append to them.
For this example we will assume we want a group that we will assign to our Sales Representatives. Remember, the name of the group and any other configuration details used below can be customized as needed.
- We will create a new group called 'Sales Rep Group'.
- When we create the group we will select the 'Sales Representative' role. This will make all users assigned to this group show up as possible values when setting the sales rep on a customer's account.
- Next, we will set the desired grants and policies on the group. For this example we will only concern ourselves with customer-related resources. We will select the view, create, and modify grants on the Customer resource. Next we will apply a group policy to restrict which records the users will have access to. We will select 'Assigned User is Sales Rep'. This will prevent the user from accessing any customer records where they are not the sales representative.
- Now we can assign all applicable users to our newly created group. All users will have the same roles, policies, and grants as defined in the group.
- Let's assume we have a user that we want to restrict access further than what their group provides. We can go directly to the user account and add a user policy. In this case we will append (not override) the group policy with a user policy that limits the user from seeing customers older than one month. Now, the user will only see customers where they are the sales rep set on the customer and that have been added in the last month.