Jazz ACLs
Jazz Access Control Lists (ACLs) are used to control access to Jazz Objects.
From
Wikipedia:
Within an organization, Roles are created for various job functions. The permissions to perform certain operations are assigned to specific roles. Members or staff (or other system users) are assigned particular roles, and through those role assignments acquire the computer permissions to perform particular computer-system functions. Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning appropriate roles to the user's account; this simplifies common operations, such as adding a user, or changing a user's department.
An access control list (ACL), with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject and an operation. For instance, if a file has an ACL that contains (Alice: read,write; Bob: read), this would give Alice permission to read and write the file and Bob to only read it.
Jazz ACL Implementation
Jazz implements three types of ACL.
- Default ACL - the default ACL set the access if no other ACL rules match.
- User ACLs - An individual user can have a defined access to the Jazz object.
- Role ACLs - A Role can have a defined access to the Jazz Object.
Note: Each of these types of ACL can be defined for members of the Jazz object. Jazz ACLs with no members defined are referred to as 'simple' ACLs.
Default ACL
A Jazz object can have one (simple) ACL. If there is no default ACL found on a Jazz object, the default is that any user has read/write access the Jazz object. If a default ACL is found with DENY access, then the default is that every user cannot either read or write this object. If a default ACL is found with Read-Only access, then the default is that every user can read the object but cannot write to the object.
ACL = Access Type
The default ACL is an access type of last resort. If the user has no ACLs, then the access can be determined by the default ACL access type.
Users ACLs
A Jazz object can have many User ACLs. If the User ACL has an Allow access, then the user is immediately granted read/write access to the object. If the User ACL has a Read-Only access, then the user has read only access to the object, UNLESS the user also has a Role ACL with Allow access. If the User ACL has a Deny access, then the user has deny access to the object, UNLESS the user also has a Role ACL with Allow or Read-Only access.
ACL = User + Access Type
Jazz implements a User-based ACL. This can be assigned to power users in the organization to access Jazz objects.
Roles ACLs
A Jazz object can have many Role ACLs. If the Role ACL has an Allow access, then users with this Role are immediately granted read/write access to the object. If the Role ACL has a Read-Only access, then users with this Role have read only access to the object, UNLESS the user also has a User ACL or a Role ACL with Allow access. If the User ACL has a Deny access, then users with this Role have deny access to the object, UNLESS the user also has a User ACL or a Role ACL with Allow or Read-Only access.
There are two sides in the Role/ACL equation:
- The user
- The target object
The user's Role is matched against the Role assigned in the ACL of the target object.
ACL = Role + Access Type
Jazz implements ACL as a Role and an Access Type. The Access Type can be:
- Allow: is used to allow the role access to the Jazz Record.
- Deny: is used to deny the role access to the Jazz Record.
- Read-Only: is used to allow the role access to the Jazz Record as a Read-only view.
Workspace ACLs
- Each Jazz Object belongs to a Workspace. The Workspace ACLs rules apply to ALL Jazz Objects that belong to the Workspace.
- If the Workspace has an Allow ACL, i.e. no ACLs found, then all Jazz objects in the workspace have Allow access.
- If the Workspace has an Deny ACL, i.e. a default ACL with Deny access type is found, then all Jazz objects in the workspace have Deny access.
- If the Workspace has an Read-Only ACL, i.e. a default ACL with Read-Only access type is found, then all Jazz objects in the workspace have Read-Only access.
To define a user's private space, create a User workspace and add 2 ACLs:
- User ACL for the user with an Allow access type
- Default ACL with Deny access type - this stops everyone else from read/write access to the user's records.
Note: This approach can also be used to create a new project until it is ready to unveil.
Designing ACLs
When designing ACLs for your organization, keep the rules simple so that your users understand them.
- Public means that all user are allowed read/write access to Jazz Objects.
- Organize information by function. Typically people understand that the 'finance' data is only seen by the 'finance' people and a few execs.
- Keep this information in their own Workspaces.
- Lock down the data at the source. This means that the default should be that NO ONE except a few people see sensitive information.
- Start with adding a Default ACL to the Jazz Object that minimizes access - be that Deny or Read-Only.
- Add Role ACLs and/or User ACLs granting Allow access.
- Often, data can contain information that most people should see, but that others should not see. (This is read life!)
- Add a Deny Default ACL that prevents access to the individual members in the data. Then add Role ACLs and/or User ACLs granting access to individual members in the data.
- e.g. if personnel records contain salary information that only a few people should see, then add a Deny Default ACL for the Salary fields. Then add an Allow User or Role ACL for the Salary fields that allows specific Users or Roles access to the data.
ACL Algorithm
The ACL algorithm is as follows:
- The Workspace ACL defines the expected access to any Jazz Object in the Workspace.
- If no other ACLs are found, then the Workspace ACL defines the access for the Jazz Object.
- The Default ACL defines the expected access to an individual Jazz Object.
- The Default ACL expected access type can override the Workspace ACL expected access type. i.e. Default ACL Read-Only can override Workspace ACL Deny access.
- If no other ACLs are found, then the Default ACL defines the access for the Jazz Object.
- If the target object has a User ACL, then the user is immediately granted this access type, whether it is Allow, Deny or Read-Only.
- If the target object has a Role ACL with an Admin Role and Allow Access Type, then users with the Admin Role are allowed to read and write the target object.
- If the target object has an ACL with an Deny Role and Denied Access Type, then users with the Deny Role are NOT allowed access to the target object.
- If the target object has an ACL with an RO Role and Read-Only Access Type, then users with the RO Role are only allowed to read the target object.
Assigning Roles
Roles are assigned to Users in the
Jazz Admin Panel using the
Jazz Assign Roles to Users Web Part.
Roles are removed from Users in the
Jazz Admin Panel using the
Review Jazz Users Roles Web Part.
Assigning ACLs
ACLs are assigned to Jazz Objects using the
Web Part: Jazz Model Access Control List.
Assigning ACLs to a Jazz Object after it is created can be error prone. A better approach is to assign the ACLs on the fly when the Jazz Object is created. Refer to
Web Part: Configure Jazz Model ACLs to read about this approach.
ACLs and Workspace¶
Workspace is represented as a Jazz object that has functionality similar to a directory in a file system. All Jazz Records reside within a single workspace. Like a file system, permissions can be assigned to a workspace via ACLs. Workspaces support:
- restricting access to users with specific roles,
- restricting access to the objects contained within the workspace to users with specific roles, and
- restricting which users can change the Access Control List of workspace.
Public Workspace
The "Public" workspace has no access restrictions. All Jazz Records that are created will reside inside the public workspace by default. No other workspaces are necessary unless advanced functionalilty is required.
Workspace Procedures
The Workspace of a Jazz Record can be changed in the
Web Part: Jazz Editor.
Workspaces are created in the
Jazz Admin Panel using the
Jazz New Workspace Web Part.
Workspaces are deleted in the
Jazz Admin Panel using the
Jazz Workspaces Web Part.
Roles are assigned to a Workspace ACL in the
Jazz Admin Panel using the
Assign Jazz Roles to Workspace Access List Web Part.
Roles are removed from a Workspace ACL in the
Jazz Admin Panel using the
Jazz Workspace ACL Web Part.
Workspace usage
Workspaces should be used for work groups that have the same permissions for access to a set of Jazz Records. e.g. an accounting department looks after the financial records for the company. Everyone in the accounting department has read-write access to the records. Senior management have read-only access to the records and everyone else in the company is denied access to the records. By placing all accounting records in an 'Accounting' Workspace with three ACLs that represent the three access groups, the security goal is achieved.