[SECURITY-41] Implement AppPermissionEvaluator grant() Created: 17/Aug/22  Updated: 25/May/23  Resolved: 23/May/23

Status: Closed
Project: Security
Component/s: None
Affects Version/s: None
Fix Version/s: 7.0.0

Type: Story Priority: Neutral
Reporter: Evzen Fochr Assignee: Evzen Fochr
Resolution: Fixed Votes: 0
Labels: None
Σ Remaining Estimate: Not Specified Remaining Estimate: Not Specified
Σ Time Spent: Not Specified Time Spent: Not Specified
Σ Original Estimate: Not Specified Original Estimate: Not Specified

Issue Links:
dependency
is depended upon by CNTCTSAPP-122 Make content apps jcr security indepe... Accepted
Sub-Tasks:
Key
Summary
Type
Status
Assignee
SECURITY-42 Implementation Sub-task Closed Evzen Fochr  
SECURITY-43 Review Sub-task Completed Thai Chi Minh  
SECURITY-45 QA Sub-task Completed Enrique Espana  
Template:
Acceptance criteria:
Empty
Epic Link: App and action based security for Norsu
Sprint: AdminX 36
Story Points: 3
Team: AdminX
Work Started:
Approved:
Yes

 Description   

config:

magnolia.auth.permission.app.[permission-name].access=[ALLOW|DENY]
magnolia.auth.permission.app.[permission-name].app-name=[magnolia-app-name]
magnolia.auth.permission.app.[permission-name].policy=[policy-name]
magnolia.auth.permission.app.[permission-name].subapp-name=[magnolia-subapp-name]
magnolia.auth.permission.app.[permission-name].actions=[action-name's separated by comma]

Evaluator rules:

  • If access is not specified, we should deny access.
  • The most specific permission should have priority over the generic permission.
    There is a hierarchical order that define whether a permission is generic or specific: app-name -> subapp -> actions
  • If subapp-name or actions are not specified, assume all
  • If the user has 2 conflicting permissions for the same resource (set of resources), apply the most restrictive one: DENY

 

e.g. 1

magnolia.auth.permission.app.permission1.access=DENY
magnolia.auth.permission.app.permission1.app-name=pages-app
magnolia.auth.permission.app.permission1.policy=default

-> denies access to the app itself (the config does not do anything special, as the default access is deny)

 

e.g. 2

magnolia.auth.permission.app.permission2.access=ALLOW
magnolia.auth.permission.app.permission2.app-name=pages-app
magnolia.auth.permission.app.permission2.subapp-name=browser
magnolia.auth.permission.app.permission2.policy=browser-read-only

-> allows user to enter only the browser app, but all the actions will be unavailable

 

e.g. 3

magnolia.auth.permission.app.permission3.access=ALLOW
magnolia.auth.permission.app.permission3.app-name=pages-app
magnolia.auth.permission.app.permission3.subapp-name=browser
magnolia.auth.permission.app.permission3.actions=add, preview
magnolia.auth.permission.app.permission3.policy=editor-browser-availabilities

-> allows user to enter only the browser app, but only add and preview actions are available to him


Generated at Mon Feb 12 10:47:21 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.