Access Control Model¶
Portal’s access control model is intended to be simple and straightforward for the foreseeable future. It is based on a simple permissions system that breaks access down into per-organization roles. In contrast, Canopy’s access control model is more complex, allowing for more fine grained access control decisions to be made.
Roles¶
Portal’s roles are as follows:
Level |
Role |
Description |
|---|---|---|
System |
Administrator |
Perform any operation on the Portal, including those activities limited to admins (e.g. user management, API token management). |
Organization |
Owner |
Has access to all data on a specific organization, and can perform any actions specific to the organization. |
Organization |
Collaborator |
Default read and write access to all requests, assessments and projects within an organization. |
Organization |
Member |
Has access to data they are explicitly allowed to access on the organization. Is able to create requests for the Organization. |
Request |
Owner |
Owner of the Request. Able to change request state (draft through to completion/rejection), complete request form and upload supporting data. |
Project |
Owner |
Owner of the project. Able to view all data related to the Project (assessments, findings and reports). By default, the creator of a Request is also granted access to the related Project. |
Note: Assessment access is inherited from the Project access level.
Granting organization access to users¶
An admin may grant access to a user on any organization via the
User Managementfunction under the Portal admin interface. The
following screenshot shows the user types (User vs System administrator)
and the Organizational access (configured on a per-organization level).
Automated provisioning¶
It is possible to auto-provision access to a user to ALL organizations
(member). However, this should only be allowed in organizations where
users are supposed to have access to all organizations. The setting can
be configured in the canopyportal.ini file by an administrator:
Once completed, restart the Portal service:
systemctl restart canopyportal