I wrote about our Access Control requirements back in July last year. Since then we’ve completed the design and basic implementation of the authentication and authorisation engines.
The major elements of the access controls are:
- Access Controls are managed at the Experiment level, i.e. you either have access to the entire experiment or no access.
- An Experiment can be flagged as public, allowing anonymous access to the experiment.
- Supported Authentication methods currently include: Internal (Django), LDAP and VBL (Australian Synchrotron proprietary). Additional methods can be added using an API.
- Authorisation to experiments may be assigned to individual Users, (internal) Groups and External Groups (see below for an explanation). Privileges currently include: Read Access, Write (Edit) and Data Owner (see below for a description).
MyTARDIS is built on Django, which has it own built in account management. MyTARDIS supports the Django internal accounts, and has an API allowing additional authentication methods to be defined. Users can have credentials from multiple user stores linked to a single Django account. We currently support internal accounts, LDAP (Active Directory) and VBL (Australian Synchrotron proprietary) authentication.
We’ve modified the authorisation mechanism in Django to use ExperimentACLs. The ExperimentACL defines access to an individual Experiment.
The three components of the ExperimentACL are:
- The ExperimentACL type
- The rights being granted
- The User, Group or External Group receiving the rights
The ExperimentACL may either be a User ACL or System ACL. User ACLs are owned and managed by the Data Owner, while System ACLs are owned and managed by the system administrator. This allows us to meet the use case of automatically granting read access to all experiments from a particular beamline to the beamline scientists (without the users being able to revoke that access).
The rights include:
- Read: the right to view the experiment
- Write: the right to edit the metadata and add and remove new datafiles
- Delete: the right to delete datasets or the entire experiment
- Data Owner: the right to manage access for other users (User ExperimentACLs)
As mentioned above, ExperimentACLs can assign rights to individual Users and internal Groups in the usual fashion.
External Groups provide an extensible authorisation mechanism, e.g. granting access based on location (IP address) or membership of a group in an LDAP repository. A user’s external group membership is evaluated when they log on to the system.
One additional use case that hasn’t been addressed and which we are considering is temporary read access to an experiment. This is useful when making a paper available for peer review prior to publication. During the review period the researchers may want to make the data available to the reviewers as well. Our current thinking is to provide a button that generates a time limited URL that has read access to the experiment, i.e. the URL embeds a time limited key. Anyone who has access to the URL then has access to the experiment for a short period of time (which will be configurable).