Security question

I am trying to tighten up what users can do. Previously I had them set to be able to create all, save all but no remove.  Not I am trying to limit thing a bit more by defining the specific things they can do.

I have the clinician role set as follows - the authority definitions (eg CCUSACC) are standard.

     <data id="ROLE_C" archetype="security.role" name="Clinician" >
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:CCUSACC" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:CCUSALE" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:CCUSCHA" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:CCUSCHI" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:CCUSDOC" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:CCUSEST" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:CCUSNOT" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:CCUSPAR" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:CCUSPAY" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:CPATALE" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:CPATALL" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:CPATCLI" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:CPATDOC" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:CPATINV" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:CPATMED" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:CPATPAR" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:CPATREM" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:CWRKAPP" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:CWRKTAS" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:RCUSCHI" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:RCUSEST" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:RCUSPAR" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:RPATALE" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:RPATPAR" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:RWRKAPP" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:RWRKTAS" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:SCUSACC" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:SCUSALE" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:SCUSCHA" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:SCUSCHI" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:SCUSDOC" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:SCUSEST" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:SCUSNOT" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:SCUSPAR" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:SCUSPAY" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:SPATALE" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:SPATALL" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:SPATCLI" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:SPATDOC" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:SPATINV" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:SPATMED" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:SPATPAR" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:SPATREM" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:SWRKAPP" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:SWRKTAS" />
    </data> 

I have the base role set as:

     <data id="ROLE1" archetype="security.role" name="Base Role" >
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:CPARTIC" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:SPARTIC" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:RPARTIC" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:CENTREL" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:SENTREL" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:RENTREL" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:CACTREL" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:SACTREL" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:RACTREL" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:CENTIDE" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:SENTIDE" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:RENTIDE" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:CDOCUME" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:SDOCUME" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:RDOCUME" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:CCONTAC" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:SCONTAC" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:RCONTAC" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:CEMESS" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:SEMESS" />
        <data collection="authorities" archetype="security.archetypeAuthority"  childId="id:REMESS" />
    </data> 

and I have the clinicians defined like:

 <data id="SU_CE" archetype="security.user" username="ce" name="CE" password="ce" description="Dr Clinton Eichelberger" userLevel="4" colour="0x00B050" active="true" >
    <data collection="roles" archetype="security.role" childId="id:ROLE1" />
    <data collection="roles" archetype="security.role" childId="id:ROLE_C" />
    <data collection="classifications" archetype="lookup.userType" childId="id:Clinician" />
    <data collection="locations" archetype="entityRelationship.userLocation" source="id:SU_CE" target="id:OL_EIAH" default="true" />
    <data collection="locations" archetype="entityRelationship.userLocation" source="id:SU_CE" target="id:OL_EIAH2S"/>
    <data collection="locations" archetype="entityRelationship.userLocation" source="id:SU_CE" target="id:OL_AEC" />
</data> 

so they get the base role plus the clinician.

If I login as CE, then as I attempt to OK out of creating an invoice I get

My interpretation of the error message is that CE is not allowed to do a save of an act.customerAccountInvoiceItem.

However from the above you can see that he has (via the Clinician role) SCUSACC, ie

     <data id="SCUSACC" archetype="security.archetypeAuthority" name="Customer Account Act Save" description="Authority to Save Account Act"
        serviceName="archetypeService" method="save" archetypeShortName="act.customerAccount*" /> 

so he should be able to save an act.customerAccountInvoiceItem

 

What is going wrong?

Regards, Tim G

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Re: Security question

A business rule is being triggered when invoice items are saved; the error is occuring as the rule requires permissions that haven't been granted.

Check the logs; there should be an entry along the lines of:

 Access denied to principal=<some user>, operation=<operation>, archetype=<short name>

Re: Security question

Thanks Tim - this enabled me to fix it.  To allow CE to invoice an item I ended up having to add save act.tillBalance (which is not one of the authorities in the distributed roles.xml), save product.*, and save party.organisationStockLocation [these last two because I have stock control turned on].

I think that this illustrates very well why 'security via archetypes' is not a good solution.  I want to limit modification of products to the logistics staff, but I have to give modify (ie save) access to anyone who needs to be able to invoice products. So now reception staff (who have to be able to invoice) can update product information [though not product prices].

In 1.8 we really do need to implement functional control. Unfortuately I think that this is going to be complex to do this well. That is, rather than just have workspace/item access control, we need workspace/item/function control [where workspace is the top menu, item is the left menu, and function is the button] - but even this does not provide a full solution because of the possible ways of doing things.  For example if I block the edit button on the Products|Info screen, but allow use of the View button, then for the product view screen, I can use its edit button.

It may be better to use the CSH 'database' where we have a list of almost all screens and do access control via the screen. Thus if access to the product copy confirm screen is blocked then you cannot copy a product.

Regards, Tim G

Re: Security question

The 'security via archetypes' is an incomplete solution, which is why there is a project to improve authorities here: http://www.openvpms.org/project/enhance-openvpms-user-authorities

An interim measure would be to change the way the business rules are triggered. Currently they execute in the context of a secure archetype service; i.e. all saves and deletes are checked for authorisation. In some cases this is not desirable, such as when updating stock levels, as the user must then be granted authorisation to save products and stock locations. In these cases, the rules could bypass security.

Re: Security question

Tim - I agree that this would be a very worthwhile step and would make the current 'security via archetypes' easier to make use of.  I have taken the liberty or creating a Jira - see https://openvpms.atlassian.net/browse/OVPMS-1386

Regards, Tim G

Syndicate content