Access Control

Security Model

The security model inside the ACL consists of 2 parts:

  • Zone based security: Every API method (SOAP & REST) is executed under one or more security zones. Zones are assigned at source level (either through inheritance or directly) and selected via the URL that is used to access the SOAP interface.
    Zones can limit what API methods are available to the public internet vs. TM internal network. Also they are used for data leakage protection on sensitive information. (see also Metadata-Module)
  • Role based security: Any API method may define a set of roles that must be granted to users in order to gain the privilege to call the method. Roles provide a fine grained control what API methods are accessible to a certain user.

The relation between Zones and Roles is that one controls access by network location while the other controls access by user privileges.

Defined Zones

ZoneDescription
Private-ZoneMethods within this zone are guaranteed to be reachable from within the GRID processing site and may optionally be reachable within the TM network. Is identified by the "*/internal/*" keyword in the service endpoint address for any processing related services.
Intranet-ZoneMethods within this zone are guaranteed to be reachable within the TM network. The intranet zone is also identified by the "*/internal/*" keyword. The differentiation between Private and Intranet is performed using the endpoint addresses of the various declared interfaces (see the table below).
Public-ZoneMethods within this zone are reachable from the public internet. Any service method whose interface class is prefixed with "Public*" and whose endpoint address is not marked with the "*/internal/*" keyword is considered to belong to the public zone.

Notes:

  • Zone based access restrictions are not enforced by the ACL itself. It's up to the configuration of the firewalls / load balancers inside the GRID sites to enforce this.
  • In contrast to pure network access restrictions, data leakage protection IS enforced by ACL itself.
  • If a client is within a more restricted zone, it can see all methods that are in a less restricted zone. Therefore clients that are located within the Private-Zone can see all methods of Intranet- and Public-Zone.

Defined Roles

The following table lists all roles that have been defined including a short explanation:

Role Name Since Description
"access.details" 1.2 Controls the general access to any details (= all data types containing metadata)
"access.protected.services" 1.2 Controls the general access to the protected services (aka. "/internal/")
"run.hash.queries" 1.2 Controls whether, hash based queries can be executed.
"run.tag.matching.queries" 1.2 Controls whether tag matching queries can be executed.
Notes:
  • Methods that match tags by hashes like isFilesTaggedWithAll(..) do not fall under this role as the primary query key is hash not tag in such queries.
  • Methods that require this role are in general more expensive to execute than hash based methods. This expensiveness originates in the higher cardinality of tag matching indexes.
"run.package.queries" 1.2 Controls whether file packages can be queried.
"run.categorization.queries" 1.2 Controls whether categorization queries can be executed.
"run.complex.queries" 1.2 Controls whether complex queries can be executed.

Any query that allows retrieving relationships or does not fall under one of the other categories is considered a complex query. From a performance standpoint, complex queries are typically less expensive than tag matching queries except if the relationships are huge and require fetching many pages.
"access.binary.content" 1.2 Controls whether a previously processed file can be downloaded.
"create.binary.content" 1.2 Controls whether a file can be sent (created) for processing.
"process.content" 1.2 Controls whether new or existing content can be processed or reprocessed. Note: Users that were granted this role but not "create.binary.content" can trigger reprocessing on previously stored content but cannot add new content.
"manage" 1.2.2 Controls whether management tasks like clearing caches can be executed.
"access.audit.log" 1.3 Controls whether the user audit log can be accessed.

Zone & Role - Mapping

The following table lists all methods mapped against the roles they require and the zones they are accessible in:

a
c
c
e
s
s
.
d
e
t
a
i
l
s
 a
c
c
e
s
s
.
p
r
o
t
e
c
t
e
d
.
s
e
r
v
i
c
e
s
 r
u
n
.
h
a
s
h
.
q
u
e
r
i
e
s
 r
u
n
.
t
a
g
.
m
a
t
c
h
i
n
g
.
q
u
e
r
i
e
s
 r
u
n
.
p
a
c
k
a
g
e
.
q
u
e
r
i
e
s
 r
u
n
.
c
a
t
e
g
o
r
i
z
a
t
i
o
n
.
q
u
e
r
i
e
s
 r
u
n
.
c
o
m
p
l
e
x
.
q
u
e
r
i
e
s
 a
c
c
e
s
s
.
b
i
n
a
r
y
.
c
o
n
t
e
n
t
 c
r
e
a
t
e
.
b
i
n
a
r
y
.
c
o
n
t
e
n
t
 p
r
o
c
e
s
s
.
c
o
n
t
e
n
t
 m
a
n
a
g
e
 a
c
c
e
s
s
.
a
u
d
i
t
.
l
o
g