Jazz ACLs

Modified on 2017/05/16 16:16 by Charles — Categorized as: Jazz, Jazz Administration

Table of Contents [Hide/Show]

   Jazz ACLs
   Jazz ACL Implementation
   Default ACL
      ACL = Access Type
   Users ACLs
      ACL = User + Access Type
   Roles ACLs
      ACL = Role + Access Type
   Workspace ACLs
   Designing ACLs
   ACL Algorithm
      Assigning Roles
      Assigning ACLs
   ACLs and Workspace
      Public Workspace
      Workspace Procedures
      Workspace usage

Jazz ACLs¶

Jazz Access Control Lists (ACLs) are used to control access to Jazz Objects.

From Wikipedia:


Within an organization, Roles are created for various job functions. The permissions to perform certain operations are assigned to specific roles. Members or staff (or other system users) are assigned particular roles, and through those role assignments acquire the computer permissions to perform particular computer-system functions. Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning appropriate roles to the user's account; this simplifies common operations, such as adding a user, or changing a user's department.

An access control list (ACL), with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject and an operation. For instance, if a file has an ACL that contains (Alice: read,write; Bob: read), this would give Alice permission to read and write the file and Bob to only read it.

Jazz ACL Implementation¶

Jazz implements three types of ACL.

Default ACL - the default ACL set the access if no other ACL rules match.
User ACLs - An individual user can have a defined access to the Jazz object.
Role ACLs - A Role can have a defined access to the Jazz Object.

Note: Each of these types of ACL can be defined for members of the Jazz object. Jazz ACLs with no members defined are referred to as 'simple' ACLs.

Default ACL¶

A Jazz object can have one (simple) ACL. If there is no default ACL found on a Jazz object, the default is that any user has read/write access the Jazz object. If a default ACL is found with DENY access, then the default is that every user cannot either read or write this object. If a default ACL is found with Read-Only access, then the default is that every user can read the object but cannot write to the object.

ACL = Access Type¶

The default ACL is an access type of last resort. If the user has no ACLs, then the access can be determined by the default ACL access type.

Users ACLs¶

A Jazz object can have many User ACLs. If the User ACL has an Allow access, then the user is immediately granted read/write access to the object. If the User ACL has a Read-Only access, then the user has read only access to the object, UNLESS the user also has a Role ACL with Allow access. If the User ACL has a Deny access, then the user has deny access to the object, UNLESS the user also has a Role ACL with Allow or Read-Only access.

ACL = User + Access Type¶

Jazz implements a User-based ACL. This can be assigned to power users in the organization to access Jazz objects.

Roles ACLs¶

A Jazz object can have many Role ACLs. If the Role ACL has an Allow access, then users with this Role are immediately granted read/write access to the object. If the Role ACL has a Read-Only access, then users with this Role have read only access to the object, UNLESS the user also has a User ACL or a Role ACL with Allow access. If the User ACL has a Deny access, then users with this Role have deny access to the object, UNLESS the user also has a User ACL or a Role ACL with Allow or Read-Only access.

There are two sides in the Role/ACL equation:

The user
The target object

The user's Role is matched against the Role assigned in the ACL of the target object.

ACL = Role + Access Type¶

Jazz implements ACL as a Role and an Access Type. The Access Type can be:

Allow: is used to allow the role access to the Jazz Record.
Deny: is used to deny the role access to the Jazz Record.
Read-Only: is used to allow the role access to the Jazz Record as a Read-only view.

Workspace ACLs¶

Each Jazz Object belongs to a Workspace. The Workspace ACLs rules apply to ALL Jazz Objects that belong to the Workspace.
- If the Workspace has an Allow ACL, i.e. no ACLs found, then all Jazz objects in the workspace have Allow access.
- If the Workspace has an Deny ACL, i.e. a default ACL with Deny access type is found, then all Jazz objects in the workspace have Deny access.
- If the Workspace has an Read-Only ACL, i.e. a default ACL with Read-Only access type is found, then all Jazz objects in the workspace have Read-Only access.

To define a user's private space, create a User workspace and add 2 ACLs:

User ACL for the user with an Allow access type
Default ACL with Deny access type - this stops everyone else from read/write access to the user's records.
Note: This approach can also be used to create a new project until it is ready to unveil.

Designing ACLs¶

When designing ACLs for your organization, keep the rules simple so that your users understand them.

Public means that all user are allowed read/write access to Jazz Objects.
Organize information by function. Typically people understand that the 'finance' data is only seen by the 'finance' people and a few execs.
- Keep this information in their own Workspaces.
Lock down the data at the source. This means that the default should be that NO ONE except a few people see sensitive information.
- Start with adding a Default ACL to the Jazz Object that minimizes access - be that Deny or Read-Only.
- Add Role ACLs and/or User ACLs granting Allow access.
Often, data can contain information that most people should see, but that others should not see. (This is read life!)
- Add a Deny Default ACL that prevents access to the individual members in the data. Then add Role ACLs and/or User ACLs granting access to individual members in the data.
- e.g. if personnel records contain salary information that only a few people should see, then add a Deny Default ACL for the Salary fields. Then add an Allow User or Role ACL for the Salary fields that allows specific Users or Roles access to the data.

ACL Algorithm¶

The ACL algorithm is as follows:

The Workspace ACL defines the expected access to any Jazz Object in the Workspace.
- If no other ACLs are found, then the Workspace ACL defines the access for the Jazz Object.
The Default ACL defines the expected access to an individual Jazz Object.
- The Default ACL expected access type can override the Workspace ACL expected access type. i.e. Default ACL Read-Only can override Workspace ACL Deny access.
- If no other ACLs are found, then the Default ACL defines the access for the Jazz Object.
If the target object has a User ACL, then the user is immediately granted this access type, whether it is Allow, Deny or Read-Only.
If the target object has a Role ACL with an Admin Role and Allow Access Type, then users with the Admin Role are allowed to read and write the target object.
If the target object has an ACL with an Deny Role and Denied Access Type, then users with the Deny Role are NOT allowed access to the target object.
If the target object has an ACL with an RO Role and Read-Only Access Type, then users with the RO Role are only allowed to read the target object.

Assigning Roles¶

Roles are assigned to Users in the Jazz Admin Panel using the Jazz Assign Roles to Users Web Part.
Roles are removed from Users in the Jazz Admin Panel using the Review Jazz Users Roles Web Part.

Assigning ACLs¶

ACLs are assigned to Jazz Objects using the Web Part: Jazz Model Access Control List.

Assigning ACLs to a Jazz Object after it is created can be error prone. A better approach is to assign the ACLs on the fly when the Jazz Object is created. Refer to Web Part: Configure Jazz Model ACLs to read about this approach.

ACLs and Workspace¶

Workspace is represented as a Jazz object that has functionality similar to a directory in a file system. All Jazz Records reside within a single workspace. Like a file system, permissions can be assigned to a workspace via ACLs. Workspaces support:

restricting access to users with specific roles,
restricting access to the objects contained within the workspace to users with specific roles, and
restricting which users can change the Access Control List of workspace.

Public Workspace¶

The "Public" workspace has no access restrictions. All Jazz Records that are created will reside inside the public workspace by default. No other workspaces are necessary unless advanced functionalilty is required.

Workspace Procedures¶

The Workspace of a Jazz Record can be changed in the Web Part: Jazz Editor.
Workspaces are created in the Jazz Admin Panel using the Jazz New Workspace Web Part.
Workspaces are deleted in the Jazz Admin Panel using the Jazz Workspaces Web Part.
Roles are assigned to a Workspace ACL in the Jazz Admin Panel using the Assign Jazz Roles to Workspace Access List Web Part.
Roles are removed from a Workspace ACL in the Jazz Admin Panel using the Jazz Workspace ACL Web Part.

Workspace usage¶

Workspaces should be used for work groups that have the same permissions for access to a set of Jazz Records. e.g. an accounting department looks after the financial records for the company. Everyone in the accounting department has read-write access to the records. Senior management have read-only access to the records and everyone else in the company is denied access to the records. By placing all accounting records in an 'Accounting' Workspace with three ACLs that represent the three access groups, the security goal is achieved.