Skip to main content
Version: 1.11.x

Authentication and Authorization

The default way to Authenticate a user with in the Dossier Organizer application, is by using an OAuth 2 provider. OAuth is an open standard and there are Numerous public providers like Microsoft, Apple, Google, Amazon and many more. Alternatively you can also use closed and self Hosted solutions like KeyCloak.

Setup

The First step will be to connect Dossier Organizer to the Oauth provider. For this process we need a few pieces of information form the third party system:

  • A Client Id and/or client Id URI. To get This ID you need register a new client on your OAuth provider. Depending on your provider system this ID can be freely chosen, or it will be generated during the setup process. The setup varies depending on OAuth provider but will always entail an ID associated with the newly created client. The Client Id URI is only used when using Azure as an authentication provider.
  • An OAuth Issuer is a named external system that provides identity and API access by issuing OAuth access tokens. The issuer should be referred to using a URL.
  • A scope is a set of named "permission grants" which the user has to be able to access. These scopes are often managed by the organization and are used to Authenticate user groups on specific clients.
  • A 'redirectUrl' is the URL to which the OAuth provider will redirect the user after successful authentication. Note that the redirect URL must be registered with the OAuth provider and must match it exactly to prevent attacks

After the Setup Process on the provider side this details have to be included in the deployment of Dossier Organizer using the Helm values. Because this information is sensible the values are provided as secrets and can be encrypted. For an exact description on how to use the Helm Configuration please Refer to our Kubernetes deployment.

Access Control

As a basis Dossier Organizer will require a valid authentication to provide any service to a requesting user. Unauthenticated users have no access using the UI or any API endpoint. If using the provided UI the User will be prompted to log in, if the Authentication is not already present.

For a finer rights management, the fusion framework allows configuring so-called Authorization Policy files. These Authorization Policies allow restrictions based on:

  • user roles
  • permissions on resources
  • permissions on actions

Authorization Policy Configuration

Authorization is implemented by defining AccessRules configuration file which restricts or allows access to specific functionality and resources of the product integration. These rules can be provided by adding them as additional files to the deployment. For further Information refer to the customization section.

As a default a simple Access Policy is provided that allows any authenticated user to access everything, if no other access policy is provided. This default policy is very basic and its definition can be used as an example:

{
"_version": "1970-01-01",
"validFrom": "1970-01-01T00:00:00.000+0000",
"description": "Allow everything",
"rules": [
{
"name": "Allow everything with claim resource_access.neverpile-fusion.roles contains 'reader'",
"effect": "ALLOW",
"resources": [ "*" ],
"actions": [ "*" ],
"subjects": [ "claim:resource_access['neverpile-fusion'].roles.contains('reader')" ]
}
],
"default_effect": "DENY"
}

If you want to implement a specific ruleset for your integration, feel free to contact our team at levigo, and we will help to create a matching configuration.

For more information about how to use Access policies please refer to the Access Policies Section