Authorization Management in Sidra Web¶
The Authorization section in Sidra Web has been built for displaying and managing the Balea Authorisation Framework. This framework defines the Authorization model to assign permissions to users for the different applications registered in Sidra.
Permissions on Sidra Core can be granted to end users as well as Client Apps. Each Client App has a different ClientId assigned. That ClientId identifies the Application and is used to assign permissions on Sidra Core for it.
The Authorization page allows to see all Applications registered in Sidra and to assign and enable roles to users, including mappings, delegated credentials and bespoke permission sets on the underlying resources (DSU, Provider and Entity scoped authorization).
According to the different perspectives included in the Balea Authorisation framework, the Web UI offers different UI views to manage all entities and relationships of this framework:
Balea Users View:
From the Balea Users View, Sidra Web users can navigate through all the registered subjects (users) in the Balea Applications. A subject in Balea identifies a user -an individual- or a client -a software system- in the Authorization system.
From each of the User items, it is possible to add new delegations for specific applications, including start and end date of such delegation.
Balea User Detail View:
The Balea User Detail view allows to configure, for each of the Balea subjects, and for each of the application, the following configuration:
- See the list of roles that have been enabled for each application
- Assign/unassign roles to the user for each application
- Edit access level permissions (of the user to the underlying resources (Provider, Entity). A permission is the ability to perform some specific operations in Sidra - read, write, and delete- on the metadata of the resource.
Balea Application View:
From the Balea Applications View, Sidra Web users can navigate through all the registered applications with the Balea authorisation framework. Balea supports handling the authorisation for several applications, so the same subject can have a different set of permissions in each application.
Balea Application Detail View:
A Balea Application can have attached different categories of objects within the Balea Authorisation framework.
From the Roles menu, the Application detail view allows to perform several actions related to roles management for a specific Balea application: add/edit/delete roles, configure mappings for these roles, as well as enable/disable roles for the specific application. Mappings allow to implement associations between the roles that come from the authentication system and the roles in the Balea Authorization system.
The Permissions menu allows to list and search specific configured permissions that the app has attached (by means of the implicit association between Roles and Permissions in the Balea Authorization model).
The Delegations menu allows to list and configure permissions delegation between users for a specific Balea application. Delegating a role to second user means this second user can assume a set of permissions to access to the application on behalf of the first user.
Balea API Keys View:
The Balea API Keys view allows to create API keys by configuring their expiration. This View provides the list of API Keys created into the system with their expiration status and allows to delete them as needed.