The Access Control component, along with its Admin UI subcomponent, protects the system from the unauthorized use. Access Control provides the functionality to authorize a user to access the system or services provided by the system. Admin UI provides the functionality to administer the security objects which are used by Access Control. For authorization, it verifies that a user has the authority to access individual security services. It grants this authorization only if the user's profile holds that service's set of required security rights at the time of the access request. For example, when a user requests to reset the password of another user, Access Control verifies that the requesting user has the proper right.
A right is a "key" or a "ticket" that is used by authorization to determine what services or security APIs the user can access. The right has no special functionality or attributes of its own, and it is simply a name that is used by Access Control for authorization purposes. Rights can be assigned to services, which can restrict the access to those services only to the users who have (at least) those rights. Rights can also be assigned to roles.
A role, such as the administrator or the teller, can be used to assign a group of rights to a user. A set of rights is associated with a role, and the role is associated with the user who is granted all the rights which are associated with the role. Roles can contain subroles. When a role is associated with a user, the user is recursively granted all the rights of any subrole which is associated with that role. Besides, roles which are held by a user's profile can be restricted to certain time intervals, and only the roles that are active at the time of the access request are valid for authorization.
The user information is stored in a database that Access Control references when security services are requested. The authorization process verifies that the internal Security User object corresponds to an external identity which has been granted approval to access the system and the access right mechanism restricts the access only to those security services that have been approved for use by this identity.
A Security Service, from the point of view of Access Control, is the object which represents an operation that can be authorized. It can be one or more functions that are made available to an authorized user through a client application. Access Control controls the access to a security service by associating (using Admin UI) rights (instances of SecurityRight) with it. The profile (SecurityUser) of a user attempting to access a security service must have all the required rights for that security service before the Access Control component permits the access.
The following figure illustrates the relationship between the objects.
Represents the role what a user has.
A role can contain subroles and is capable of all the rights of its subroles.
Represents the right set what a role has.
Represents the necessary right set access or execute a service.
The Lightweight Directory Access Protocol (LDAP) is supported by the Access Control. LDAP is an open industry standard, which defines a standard method for accessing and updating information in a directory. When Access Control is combined with the LDAP server, Access Control only provides the authorization function, and the user is authenticated by the LDAP server. All the information required by the authorization is stored by Access Control, and all the user information is stored by the LDAP server. Therefore, to combine Access Control with LDAP, the user authorization information should synchronize with the user authentication information, and Access Control should be able to use the authentication function of the LDAP server. See the Reference section for more details about how to synchronize Access Control with the LDAP server, and how to enable Access Control to use the authentication function of the LDAP server.