0423 Security Definitions¶
Security, particularly access control, is an important form of governance that preserves exclusive access to specific resources for particular actors.
The security definitions in Egeria have two purposes:
- To provide information to the server metadata security connector when it is making authorization decisions.
- To provide information to an integration connector that is synchronizing access control information with an authorization engine. This is used when access to resources is being controlled through open metadata by the self-service users of the open metadata servers.
Security access control decisions need to be made with very little latency because they are running in the main path of every request. Therefore, the definitions are divided into two types:
- The definitions that control which users have access to which resources. This can be expressed at the user, role, team, community/project, organization level. To determine an individual's access involves navigating through multiple definitions which is too slow for operation use.
- The definitions that summarize access controls at the user and resource element level. These values enable auditing of access and are used to configure the user directory and the resource authorization engine.
AssociatedGroup relationship¶
The AssociatedGroup relationship defines which SecurityGroup to use for each type of operation defined by the SecurityAccessControl entity. The operationName
attribute defines the name of the operation being mapped.
SecurityGroupMembership classification¶
The SecurityGroupMembership classification summarizes the list of security groups that a user should be granted. For efficiency, each security group may be identified by its distinguishedName
property for efficiency. However, it may be the group's qualifiedName
. The SecurityGroupMembership classification is attached to one of the user's UserIdentity entities.
SecurityTags classification¶
SecurityTags identify labels, properties and access control lists that are used in determining which access control rules should be executed when access to a particular resource is requested. They can be attached to assets, schema elements and glossaries depending on the scope of resource that the security tags apply to. The synchronized access control feature describes how security tags are set up and used.
Raise an issue or comment below