S&E Access Control Lists
Table of contents:
Access Control Lists (ACLs) define a set of permissions for specific roles attached to specific entities. The ACL is defined and enforced within the Sign & Encrypt service itself.
Each tenant has one ACL containing all rules restricting what a certain subject (aka user/group) can view or do within the application.
The most used type of rule is a policy-rule (aka ACL rule). Policy rules contain:
Subject (who)
Resource (for which entity)
Action (can do what)
Another type of rule that exists is a group-rule. Group-rules define that one subject should be contained in another subject, and thus contains two subjects:
parent subject (=Subject)
child subject (=Resource)
Group rules are handled via a different API than the policy rules, just mentioned here for completeness.
Subjects
Subjects follow the format <subject-type>:<subject-id>.
Bosch.IdM roles
The access is based on the given IdM roles. These subjects are prefixed with the "GROUP" type and followed by the IdM role, e.g. GROUP:Idm2Bcd_xxxxxxxxx_xxxxxx_Viewer.
OAuth2 clients
The access is based on Suite Auth Tokens created using the OAuth2 clients flow. These subjects are prefixed with the "CLIENT" type and followed by the Client ID, e.g. CLIENT:xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.
To learn how to create a OAuth2 client refer to Create new OAuth2 client.
Resources
Resources in an ACL rule follow the format <resource-type>:<resource-id>.
The resource types that are currently supported are:
DEVICE_CONFIG - The rule is targeting a certain device config id. See Device configuration below for more information.
RESOURCE_TYPE - The rule is targeting all resources of a certain type, which might be ACL, AUDIT_LOG or DEVICE_CONFIG.
Actions
As the user is required to be referenced in all mentioned tasks, the Sign & Encrypt service defines specific actions that a certain role can perform. The OAuth2 token scopes must be mapped to the following Sign & Encrypt specific internal actions:
|
Action |
Resource type |
Effect |
|
VIEW |
ACL |
Give a user or user group the permission to access and view ACLs. |
|
AUDIT_LOG |
Give a user or user group the permission to access and view the audit log. |
|
|
DEVICE_CONFIG |
Give a user or user group the permission to access and view device configs, related tasks, and its related audit log entries. |
|
|
USE |
ACL |
No effect. |
|
AUDIT_LOG |
No effect. |
|
|
DEVICE_CONFIG |
Give a user or user group the permission to create packaging, encryption and/or signing tasks, upload files for a device config, and download the encryption and public signing key. |
|
|
APPROVE |
ACL |
No effect. |
|
AUDIT_LOG |
No effect. |
|
|
DEVICE_CONFIG |
Give a user or user group the permission to approve packaging and signing tasks. |
|
|
CREATE |
ACL |
Give a user or user group the permission to create new ACL rules. |
|
AUDIT_LOG |
No effect |
|
|
DEVICE_CONFIG |
Give a user or user group the permission to create new device configs and provision encryption/signing keys. |
|
|
EDIT |
ACL |
Give a user or user group the permission to delete ACL rules. |
|
AUDIT_LOG |
No effect. |
|
|
DEVICE_CONFIG |
No effect. |