Identity&Security proposal for SOA Repository(Guvnor).

In the Guvnor, we are going to use the Role based access control to do the authorization.

 

First of all, let us see the users and roles management. In the Guvnor, it will have a Administration menu in the left tree panel, the users and roles management are under this menu, it looks like as following:

menu.jpg

 

Once you click the 'users', it will open a tab in the right center panel, which is gird component that shows all of users as following:

users.jpg

Users can tick the checkbox, and then Press the 'Delete' button to remove users. ( users can remove multiple users at one time.)

 

Click the row, such as Jeff, it will open another tab, which shows the Jeff's detailed information, the layout would be like following picture. (Note: I just reuse the user creation form page for convience.)

addUser.jpg

The roles management are quite similar to what we did for users, here are the screenshots.

 

Roles grid:

roles.jpg

Roles form:

 

addRole.jpg

 

We have two ways to associate the resource permissions to roles. Firstly, As we saw in the roles form editor, it will list all of available resource + operation in a set of checkboxs, like "Read ESB artifacts". We can see it like category. If you grant the 'Read ESB artifacts' operation permission to a role, then it can read all of ESB artifacts.

 

Secondly, we also can add a specific rule to a specific ESB artifact. Once you open up a specific ESB artifact, it will open a tab called "Artifact Data", it has a "Permission" tab over there. like following picture:

permission.jpg

 

It has three options, which are:

0-Denied,

1-Inherit, (It means inherit the configuration from category, like ESB artifact which was configured in the roles detail form)

2-Granted.

 

In this way, I think the security feature can be very flexible. although I don't expect users will use the specific artifact permission feature often, I would say it adds our security feature's flexbility.

 

 

Note: The UI might be subject to change in the implementaiton, but the whole idea (especially in authorization part) would be the same.