Internal access control (permissions) - CustomerID

Permissions

Ubisecure CustomerID uses permissions for internal authorization and for customizing the user interfaces. For example, the self-service interface may be customized for different kind of user accounts.The self-service interface can be configured to permit certain user groups to manage their own authentication method credentials and whether methods are enabled for them, while precluding this from other user groups. The administration interface scope can also be heavily customized based on the user's permissions.

The permissions are not directly assigned to users, but through internal roles. Each internal role may contain multiple permissions and a user may have multiple internal roles for multiple different organizations. For example, the user may have two internal roles in organization A and one internal role in organization B. The total permissions in organization A is a sum of the two roles the user has in organization A and permissions for organization B are the ones assigned to the role the user has in that organization. The permissions can also be recursive, that is, the permissions are valid on the organization where the role(s) reside(s) and in all suborganizations it has.

The mapping between permissions and roles is made in the permissions.properties property file. In the default Windows installation, it is located at:

C:\Program Files\Ubisecure\customerid\application\custom\permissions.properties

The following example provides information about the permission to role mapping:

# permissions.properties

user.list = rel:OrganizationUser, inh:OrganizationMainUser
user.read.personal = rel:OrganizationUser, inh:OrganizationMainUser
user.read.roles = rel:OrganizationUser, inh:OrganizationMainUser
user.read.mandates = rel:OrganizationUser, inh:OrganizationMainUser
user.edit = inh:OrganizationMainUser
user.create = inh:OrganizationMainUser
user.delete = inh:OrganizationMainUser
user.approval.read = rel:OrganizationUser, inh:OrganizationMainUser
user.approval.edit = rel:OrganizationUser, inh:OrganizationMainUser
user.approval.approve = rel:OrganizationUser, inh:OrganizationMainUser

In the example configuration, the OrganizationMainUser role includes all user related permissions in the organization where the role resides and in all of its suborganizations (recursive). The OrganizationUser  role includes permissions to read and review user information and to approve pending user applications in the organization where the role resides and nowhere else.

The keywords for the permissions.properties file are described in the following table.


KEYWORD

DESCRIPTION

abs:

The absolute path to the target role in the eIDM Users branch. For example: abs:eIDM/eIDMMainUser

rel:

Permissions are only valid in the organization where the role resides.

inh:

The permissions are valid in the organization where the role resides and in all of its suborganizations.

dirinh:

The permissions are valid in the organization where the role resides and in all of its suborganizations, but the role must have been directly given to the user. If the user has received the role via another role then this permission is not valid.

par:

The permission is granted if the user has the specified role in the parent of the organization in question. If the organization in question is on the top level then the role can be from that organization as it has no parent.

grp:

The permissions are for a certain group in the eIDM Groups branch. For example, grp:eIDMUser

any:

The permissions are for users with the selected role in any organization. For example, any:CorporateUser

:unless:

This suffix is used with other keywords, the first role and another additional role. It is for permissions that are valid only if there are not users with direct role in the current organization. Note that super user permissions can not be overridden with ":unless:" definitions.

For example,
abs:eIDM/eIDMMainUser:unless:OrganizationMainUser

In this example the eIDM/eIDMMainUser has the permission unless there is a user with direct role OrganizationMainUser in the current organization.

Table 1. Keywords for the permission.properties file


Configuration

The following table describes all supported permissions available in permissions.properties file.

PERMISSION

DESCRIPTION

superuser

This permission defines the users who have all possible permissions in the system. The users defined here have all the other permissions in any permissions category.

user.list

This permission defines the users who are allowed to list organizations' users in the admin service.

user.read.personal

This permission defines the users who are allowed to read the users' personal information in the admin service.

You may also define field specific read permissions by adding the field name after user.read.personal.

Example:
user.read.personal.ssn = inh:OrganizationMainUser

This example means that only someone in the OrganizationMainUser role can see the user's social security number in the admin service.

You can define also permissions for authentication methods with:

user.read.personal.method
user.read.personal.method.<authentication method technical name>

Example:

user.read.personal.method.ubikey.otp.1 = inh:OrganizationMainUser

This example means that only someone in the OrganizationMainUser role can see the state of the user's ubikey.otp.1 authentication method.

Field specific permissions override the general permission.

user.read.roles

This permission defines the users who are allowed to read the users' role information in the admin service.

user.read.mandates

This permission defines the users who are allowed to read the users' mandate information in the admin service.

user.mandates.remove

This permission defines those users who are allowed to remove mandates from organization users in the admin service.

user.edit

This permission defines the users who are allowed to edit the users' information in the admin service.

You may also define field specific edit permissions by adding the field name after user.edit.

Example:
user.edit.ssn =

This example means that nobody can edit the user's social security number in the admin service.

A special case is user.edit.accountstatus. This permission definition gives the possibility to enable or disable a user.

Also authentication methods are handled similarly to user information fields. These permissions define the users who are allowed to manage other users authentication data in the admin service. You can define permissions for authentication methods with:

user.edit.method
user.edit.method.<authentication method technical name>

Example:

user.edit.method.ubikey.sms.1 = inh:OrganizationMainUser

This example means that only someone in the OrganizationMainUser role can alter the state of the user's ubikey.sms.1 authentication method.

Field specific permissions override the general permission.

user.create

This permission defines the users who are allowed to create new users in the admin service.

user.delete

This permission defines the users who are allowed to delete other organization users in the admin service.

user.move

This permission defines the users who are allowed to move other organization users in the admin service

user.approval.read

This permission defines the users who are allowed to read user approvals in the admin service.

You may also define field specific read permissions by adding the field name after user.approval.read.

Example:
user.approval.read.ssn = inh:OrganizationMainUser

This example means that only someone in the OrganizationMainUser role can see the user's social security number in the approval view.

Field specific permissions override the general permission.

user.approval.edit

This permission defines the users who are allowed to edit user approvals in the admin service.

You may also define field specific edit permissions by adding the field name after user.approval.edit.

Example:
user.approval.edit.ssn =

This example means that nobody can edit the user's social security number in the approval view.

Field specific permissions override the general permission.

user.approval.approve

This permission defines the users who are allowed to approve other organization users in the admin service.

organization.read

This permission defines the users who are allowed to read organization information in the admin service.

You may also define field specific read permissions by adding the field name after organization.read.

Example:
organization.read.technicalname = inh:OrganizationMainUser

This example means that only someone in the OrganizationMainUser role can see the organization's technical name in the admin service.

Field specific permissions override the general permission.

organization.edit

This permission defines the users who are allowed to edit organization information in the admin service.

You may also define field specific edit permissions by adding the field name after organization.edit.

Example:
organization.edit.class =

This example means that nobody can edit the organization's type (was previously called "class") in the admin service.

Field specific permissions override the general permission.

organization.create

This permission defines the users who are allowed to create organizations in the admin service.

organization.delete

This permission defines the users who are allowed to delete organizations in the admin service.

role.read

This permission defines the users who are allowed to read role assignment information in the admin service.

role.assign

role.assign.OrganizationUser



role.assign.OrganizationUser.class.test

This permission defines the users who are allowed to assign roles to users in the admin service.


Role-specific permissions are allowed in role.assign. For example, this property defines users that are allowed to assign users to OrganizationUser-role. (Use role's entity name)


Organization type (was previously called "class") specific permissions can be used with role.assign. For example, this property defines users that are allowed to assign users to OrganizationUser role in organizations with type test. Role and organization type are separated with .class. keyword.

For other organization types role.assign.OrganizationUser permission is used.


If a role-specific permission is not defined then role.assign permission is used.

role.invite

role.invite.OrganizationUser



role.invite.OrganizationUser.class.test

This permission defines those users who are allowed to invite users to roles in the admin service.


Role-specific permissions are allowed in role.invite. For example, this property defines users that are allowed to invite users to OrganizationUser role. (Use role's entity name)


Organization type (was previously called "class") specific permissions can be used with role.invite. For example, this property defines users that are allowed to invite users to OrganizationUser role in organizations with type test. Role and organization type are separated with .class. keyword.
For other organization types role.invite.OrganizationUser permission is used.


If a role-specific permission is not defined then role.invite permission is used.

role.deassign


role.deassign.OrganizationUser

role.deassign.OrganizationUser.class.test

This permission defines the users who are allowed to remove roles from users in the admin service.


Role-specific permissions are allowed in role.deassign. For example, this property defines users that are allowed to remove OrganizationUser role from users. (Use role's entity name)


Organization type (was previously called "class") specific permissions can be used with role.deassign. For example, this property defines users that are allowed to remove the OrganizationUser role from users in organizations with type test. Role and organization type are separated with .class. keyword.

For other organization types role.deassign.OrganizationUser permission is used.


If a role-specific permission is not defined then role.deassign permission is used.

role.list_approvals

This permission defines the users who are allowed to list and view role assignment requests in the admin service.

role.approve

This permission defines the users who are allowed to approve role assignments in the admin service.

role.delete

This permission defines those users who are allowed to delete roles in the admin service.

role.create

This permission defines those users who are allowed to create roles in the admin service.

role.edit

This permission defines those users who are allowed to edit roles in the admin service.

role.listusers

This permission defines those users who are allowed to list users in selected role.

mandate.read

This permission defines the users who are allowed to read mandate information concerning received mandates in the admin service.

mandate.approve

This permission defines the users who are allowed to approve received mandates in the admin service.

mandate.remove

This permission defines the users who are allowed to remove either mandate actuators or the received mandate in the admin service.

mandate.create

This permission defines the users who are allowed to create new mandates in the admin service.

self.read

This permission defines the users who are allowed to read their own personal information in the self-service interface.

You may also define field specific read permissions by adding the field name after self.read.

Example:
self.read.custom1 = any:OrganizationMainUser

This example means that only someone who has the OrganizationMainUser role (in any organization) can see the custom1 field in the self-service interface.

Also authentication methods are handled similarly to user information fields. These permissions define the users who are allowed to read their authentication data in the self-service interface. You can define permission for authentication methods with:

self.read.method
self.read.method.<authentication method technical name>

Example:
self.read.method.ubikey.sms.1 =

This example means that nobody is allowed to see the state of the ubikey.sms.1 authentication method in the self-service interface.

Field specific permissions override the general permission.

self.edit

This permission defines the users who are allowed to edit their own personal information in the self-service interface.

You may also define field specific edit permissions by adding the field name after self.edit.

Example:
self.edit.ssn =

This example means that nobody can edit their own social security number in the self-service interface.

Also authentication methods are handled similarly to user information fields. These permissions define the users who are allowed to manage their authentication data in the self-service interface. You can define permission for authentication methods with:

self.edit.method
self.edit.method.<authentication method technical name>

Example:
self.edit.method.ubikey.sms.1 =

This example means that nobody is allowed to alter the state of the ubikey.sms.1 authentication method in the self-service interface.

Field specific permissions override the general permission.

self.role

This permission defines the users who are allowed to read their role information in the self-service interface.

self.mobilenoconfirm

This permission defines the users who are allowed to change their mobile number without the need to confirm the new number.

self.emailnoconfirm

This permission defines the users who are allowed to change their email address without the need to confirm the new address.

self.organization

This permission defines the users who are allowed to manage organization information in the self-service interface.

self.requestroles

This permission defines the users who are allowed to request roles in the self-service interface. These users should also have the self.role permission.

self.request.predefined.roles

This permission defines those users who are allowed to request predefined roles in the self-service interface. These users should also have the self.role permission.

self.mandate.read

This permission defines those users who are allowed to read mandate information in the self-service interface.

self.mandate.approve

This permission defines those users who are allowed to approve mandates in the self-service interface.

self.mandate.remove

This permission defines those users who are allowed to remove mandates in the self-service interface.

self.mandate.create

This permission defines those users who are allowed to create new mandates in the self-service interface.

access.admin

This permission defines the users who are allowed to access the admin service interface.

access.admin.organizations

This permission defines the users who are allowed to access the organization list tab in the admin service interface front page.

access.admin.users

This permission defines the users who are allowed to access the user search / list tab in the admin service interface front page.

access.admin.approvals

This permission defines the users who are allowed to access the approval tab in the admin service interface front page.

access.selfservice.personal

This permission defines the users who are allowed to access the personal tab in the self-service interface.

access.selfservice.roles

This permission defines the users who are allowed to access the roles tab in the self-service interface.

access.selfservice.mandates

This permission defines the users who are allowed to access the mandates tab in the self-service interface.

Denying operations

CustomerID permissions will fall back to default values in case a given permission is omitted from permissions.properties. In case there is a need to disable a functionality for all users, it is therefore necessary to define the permission entry key, but leave the actual definition empty.

In the example below, the self.read duplicates the default behavior, but self.edit removes all permissions for self.edit, effectively user will see all personal information in self-service, but will not be able to edit it.

# permissions.properties
 
self.read = grp:eIDMUser
self.edit =


Equivalent example, note that self.read is commented out, which falls back to default values, effectively user will see all personal information in self-service, but will not be able to edit it.

# permissions.properties
 
#self.read = grp:eIDMUser
self.edit =

Opposing example, note that self.read and self.edit are commented out, which make both settings fall back to default values, effectively user will see all personal information in self-service and will be able to edit it.

# permissions.properties
 
#self.read = grp:eIDMUser
#self.edit = grp:eIDMUser