RBAC
RBAC (role-based access control) is a policy neutral access control mechanism defined around roles and privileges. The permissions to perform certain operations are assigned to specific roles. Role is a title which defines an authority level. Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning appropriate roles to the user's account.
Three primary rules are defined for RBAC:
- Role assignment: A subject can exercise a permission only if the subject has selected or been assigned a role.
- Role authorization: A subject's active role must be authorized for the subject. With rule 1 above, this rule ensures that users can take on only roles for which they are authorized.
- Permission authorization: A subject can exercise a permission only if the permission is authorized for the subject's active role. With rules 1 and 2, this rule ensures that users can exercise only permissions for which they are authorized.
In Prime Engine the following two roles are defined:
- User - A user can only access and perform operations on the resources he owns.
- Admin - An admin can access and perform operations on all the resources of all the users.
Third Security Layer
When a resource belongs to a particular user, he is the only user that can perform operations onto it. Administrators have access to all resources and and can perform all the operations on them.
When a role has an access to a resource it can perform the following operations:
- fetch all - shows all resources of a particular type that belongs to the user;
- fetch entity- shows a resource unit that is described by the user;
- create - create a resource unit;
- update - updates a whole resource unit;
- patch - partially modifies a resource unit;
- delete - deletes a resource unit;
