Authorization Service¶
The Authorization Service is an essential component of the Sidra ecosystem that enables granular and flexible control over access rights. It leverages Balea, a library for defining and managing authorization policies based on roles and permissions. The Authorization Service works seamlessly with Identity Server, which handles authentication and identity management.This service contains a set of tables with the information about the authorization of users and apps to grant access to specific Data Storage Units (DSU), Entities and Providers.
The Authorization section in Sidra Web has been built for displaying and managing the Balea Authorization Framework. This framework defines the Authorization model to assign permissions to users for the different applications registered in Sidra.
Permissions on Sidra Core can be granted to end users as well as Data Products. Each Data Product has a different ClientId assigned. That ClientId identifies the Application and is used to assign permissions on Sidra Core for it.
The Authorization page allows to see all Applications registered in Sidra and to assign and enable roles to users, including mappings, delegated credentials and bespoke permission sets on the underlying resources (DSU, Provider and Entity scoped authorization).
According to the different perspectives included in the Balea Authorization framework, the Web UI offers different UI views to manage all entities and relationships of this framework.
Authorization Users View¶
From the Authorization Users View, Sidra Web users can navigate through all the registered subjects (users) in the Authorization Applications. A subject here identifies a user -an individual- or a client -a software system- in the Authorization system.
From each of the User items, it is possible to add new delegations for specific applications, including start and end date of such delegation.
Authorization User Detail View¶
The AuthorizationUser Detail view allows to configure, for each of the Authorization subjects, and for each of the application, the following configuration:
- See the list of roles that have been enabled for each application
- Assign/unassign roles to the user for each application
- Edit access level permissions (of the user to the underlying resources (Provider, Entity)). A permission is the ability to perform some specific operations in Sidra - read, write, and delete- on the metadata of the resource.
Authorization Application View¶
From the Authorization Applications View, Sidra Web users can navigate through all the registered applications with the authorization framework. The application supports handling the authorization for several applications, so the same subject can have a different set of permissions in each application.
Authorization Application Detail View¶
A Authorization Application can have attached different categories of objects within the authorization framework.
- Roles
- Permissions
From the Roles menu, the Application detail view allows to perform several actions related to roles management for a specific application: add/edit/delete roles, configure mappings for these roles, as well as enable/disable roles for the specific application. Mappings allow to implement associations between the roles that come from the authentication system and the roles in the Authorization system.
The Permissions menu allows to list and search specific configured permissions that the app has attached (by means of the implicit association between Roles and Permissions in the Authorization model).
Authorization API Keys View¶
The Authorization API Keys view allows to create API keys by configuring their expiration. This View provides the list of API Keys created into the system with their expiration status and allows to delete them as needed.
Known issues¶
- When creating new roles for a Data Product, the role is not appearing as created when refreshing the page.