0423 Security Definitions¶
Security, particularly access control, is an important form of governance that preserves exclusive access to specific resources for particular actors.
The security definitions in Egeria have two purposes:
- To provide information to the server metadata security connector when it is making authorization decisions.
- To provide information to an integration connector that is synchronizing access control information with an authorization engine. This is used when access to resources is being controlled through open metadata by the self-service users of the open metadata servers.
Security access control decisions need to be made with very little latency because they are running in the main path of every request. Therefore, the definitions are divided into two types:
- The definitions that control which users have access to which resources. This can be expressed at the user, role, team, community/project, organization level. To determine an individual's access involves navigating through multiple definitions which is too slow for operation use.
- The definitions that summarize access controls at the user and resource element level. These values enable auditing of access and are used to configure the user directory and the resource authorization engine.
The SecurityAccessControl entity is a TechnicalControl that defines the access control lists that a user must belong to if he/she/it is to be given permission to execute a specific command.
The AssociatedGroup relationship defines which SecurityGroup to use for each type of operation defined by the SecurityAccessControl entity. The
operationName attribute defines the name of the operation being mapped.
The SecurityGroup represents a group of actors that need to be given the same access to a specific set of resources. It includes the
distinguishedName used in LDAP based user directories. This is the distinguished name of the group where authorized users are listed.
The SecurityGroupMembership classification summarizes the list of security groups that a user should be granted. For efficiency, each security group may be identified by its
distinguishedName property for efficiency. However, it may be the group's
qualifiedName. The SecurityGroupMembership classification is attached to one of the user's UserIdentity entities.
SecurityTags identify labels, properties and access control lists that are used in determining which access control rules should be executed when access to a particular resource is requested. They can be attached to assets, schema elements and glossaries depending on the scope of resource that the security tags apply to. The synchronized access control feature describes how security tags are set up and used.
Raise an issue or comment below