Maintaining Rights

A right is a collection of resources and the permissions to use those resources.

Right Scope

Rights are created at instance-level. An instance can contain multiple rights.

Use of Rights

Given that a right is a collection of resources and the level of access to those resources, when a right is applied to a user via a security role, the right determines the level of access to those resources for that user.

Applying Security Changes

Three security-related caches are used by the system: the authorisation cache, authorised applications, and core CCLAS securities.

Note: There is an 8-hour cache period for each of these security-related caches. Changes to security do not come into effect until after this cache period expires, and even then, where security permissions are changed for a user, the old security permissions still apply until the user logs in again.

Where the following actions succeed, then the security-related caches are cleared:

  1. Assign Role to User

    assignRole(Role role, Scope scope, String userName)

  2. Un-assign Role from User

    unassignRole(Role role, Scope scope, String userName)

  3. Save attribute (the Resource attribute AT)

    saveAttribute(AttributeConfiguration attribute)

  4. Grant access (permission) to a Resource for a Right

    grantRightResourceAccess(Right right, SecuredResource resource, String permission)

  5. Revoke Application access for a Right

    revokeRightApplicationAccess(Right right, String applicationName)

  6. Revoke access to a Service for a Right (the term Class is used for Service in the logic)

    revokeRightClassAccess(Right right, String className)

  7. Revoke access to an Attribute for a Right

    revokeRightAttributeAccess(Right right, String className, String attributeName)

  8. Revoke access to a Resource for a Right

    revokeRightResourceAccess(Right right, SecuredResource resource)

  9. Add Right to Role

    addRightToRole(Role role, Right right)

  10. Remove Right from Role

    removeRightFromRole(Role role, Right right)

In multi-server environments, the clearing of the security-related caches only occurs on the server where the ADMIN user (the user making the security permission changes) is logged into. The user whose security permissions are changed may be logged into another server: the 8-hour cache period must expire before security changes come into effect.