Wednesday, July 25, 2012

Knowledge Management: Access Control List & Role Based Access Control

A long, long time ago, I was an Artillery Officer in the Marine Corps with one of my collateral duties being Security Officer for Nuclear weapons.  In order to get that classification, I needed to be:
  • Standing in the wrong place when the Commanding Officer assigned collateral duties
  • Be eligible for & receive a 'Top Secret' Security Clearance, which involved a 10 year Background Investigation.  Yes, guys actually went around and interviewed people that didn't know me very well.
  • Pass a written & physical 'do this' exam, though the details of that process are now muddy.
When all was done, I had my Top Secret Security clearance, but that was only part of the 'Knowledge Management' puzzleMy Access to documents and information was restricted based on my 'need to know'.  An Artillery Officer had no reason to know non-public details about ICBMs or under development weaponry.  Instead, there was a very specific list of items I would be allowed to see or act upon.  This list is similar to an Access Control List.  My position (Artillery Nuclear Security Officer) was my  Role.  Everyone in the USMC that was assigned that specific Role was also given the same Access Control List of actionable items.

Our Platform as a Service currently includes 345 Actionable items (Privileges), the sum of which comprise the Access Control List, control of which is usually reserved for the Account Admin.  In fact, even viewing the ACL requires specific Privileges.  These Privileges can be selected  in any combination and when Saved (as a group) are named.  That name is called a Role.  Users are assigned to a specific Role, usually done by the Account Admin.

A data entry operator would not need 'Objects->Checkout settings->Add Payment system' in order to do data entry nor would a CEO with the equivalent of a 'Top Secret Clearance' require 'Objects -> Solutions-> Delete SaaS Solution package'.  Most damage is unintentional and it is part of  the Account Admin's job to ensure that the CEO does not see a button, say "What does this do?" and potentially nuke 70 hours of work. (Account Admin forgot to schedule auto-backup).

Younicycle's ACL and Roles are based on PostgreSQL, but the basic concept of Knowledge Management predates any database or computer system.

My next post will include a video that shows how to use the built-in Access Control List to build a Role and assign Users to the Role.  Knowledge of SQL is not required as it is a simple select and click web interface.

Double-thanks for reading.  Boring but important.

No comments:

Post a Comment