Access Control Model

Portal’s access control model is intended to be simple and straightforward for the foreseeable future. It is based on a simple permissions system that breaks access down into per-organization roles. In contrast, Canopy’s access control model is more complex, allowing for more fine grained access control decisions to be made.

Roles

Portal’s roles are as follows:

Level

Role

Description

System

Administrator

Perform any operation on the Portal, including those activities limited to admins (e.g. user management, API token management).

Organization

Owner

Has access to all data on a specific organization, and can perform any actions specific to the organization.

Organization

Collaborator

Default read and write access to all requests, assessments and projects within an organization.

Organization

Member

Has access to data they are explicitly allowed to access on the organization. Is able to create requests for the Organization.

Request

Owner

Owner of the Request. Able to change request state (draft through to completion/rejection), complete request form and upload supporting data.

Project

Owner

Owner of the project. Able to view all data related to the Project (assessments, findings and reports). By default, the creator of a Request is also granted access to the related Project.

Note: Assessment access is inherited from the Project access level.

Granting organization access to users

An admin may grant access to a user on any organization via the User Managementfunction under the Portal admin interface. The following screenshot shows the user types (User vs System administrator) and the Organizational access (configured on a per-organization level).

Automated provisioning

It is possible to auto-provision access to a user to ALL organizations (member). However, this should only be allowed in organizations where users are supposed to have access to all organizations. The setting can be configured in the canopyportal.ini file by an administrator:

Once completed, restart the Portal service:

systemctl restart canopyportal