Controlling access is one of the bigger puzzles any system administrator faces. There are two different challenges to consider when it comes to permissions. The first challenge is authentication, which involves ensuring the user is who they say they are. The second challenge is authorization, which deals with what a user can or cannot have access to. The standard Aras permission model and our two new access control policies provide configurable solutions to the latter - authorization.
This blog will be a high-level overview of the three types of access control built into the Aras Innovator platform: role-based permissions, MAC policies, and DAC policies. Future posts will go more in-depth and explain how you can use these services to implement common use cases.
Role-Based Access Control
The standard permissions model, an example of role-based access control, revolves around the Permissions ItemType. These permissions will be assigned to an ItemType and will dictate how different identities can interact with the given ItemType. Below is a standard permission named “New Part.” Different groups and individual identities have different levels of access, and this can change based on the life cycle state of the part itself. Standard permissions are powerful but cannot vary based on the context item.
Mandatory Access Control
Mandatory Access Control (MAC) policies are attribute-based, meaning access can be defined based on properties/attributes of both the user and any item the user is viewing. This allows for military-style security scenarios, where a user with a high security clearance level may access items with a lower security clearance level, even though they may not have access provided by the explicit permissions defined on the item. This image shows how a MAC policy can be used to restrict access on documents with a "top secret" clearance level while allowing all users access to unclassified documents.
MAC policies also allow admins to restrict a user's access based on their physical location. A user with read/write access in their primary facility may only have read access at other sites.
Domain Access Control
Domain Access Control (DAC) was designed to support project-based access scenarios where users are given access to items related to individual projects or domains. These domains are dynamic, allowing the permissions to shift with the scope of a project. The image below shows how a DAC policy should work.
Each project in the above example could have its own DAC definition, meaning each project can have its own specific policy. Each user can be a member of multiple teams, giving them access to multiple projects. DAC policies work out of the box with the other two types of access control. Combining all three methods is the best way to ensure that authorized users are the only ones with access to the correct items. With proper configuration, you can have more complex policies, which allow for something similar to the diagram below.
These policies have a lot of moving parts. Configuring any of these solutions will take some trial and error to find the best fit for your situation. This has been a very brief conceptual overview of the different types of access control within Aras Innovator. In the coming weeks, we'll publish examples of both MAC and DAC policies. We'll also be releasing a community project which has examples of both types of policy.