Security settings¶
Initialization¶
When configuring security for the first time, do the following:
- Synchronize the rights so that the rights set via the acl utility appear in the admin area. Press the
"Synchronization of access rights"
button on the/ionadmin/security/sync
page to synchronize the rights.
Upon completion you’ll see the message "Access synchronization successfully conducted!"
.
- Make import of resources. If on the
/ionadmin/security/resource
page there are no objects or really few of them, then you need to import the resources.
Press the "Import resources"
button on the /ionadmin/security/sync
page.
Upon completion you’ll see the message "Import successfully completed!"
.
Role management¶
You can create, edit or delete roles on the /ionadmin/security/role
page:
- Create role. Press the “Create” button to create a role on the
/ionadmin/security/role
page.
You will be redirected to a new page, where you need to specify the role ID. Click the “Save” button to confirm the creation of the specified role.
- Edit role. Choose the desired role and press the “Edit” button on the
/ionadmin/security/role
page to edit the role.
You will be redirected to a new page, where the following fields are displayed on the form:
``Identifier``is an expression for the unique name of the role. When changing the identifier, the rights of users who tied this role to the previous identifier may be lost. In this case it’s necessary to reconnect the role to each user.
Name
is a role’s name that can contain the exressions in Russian.
Access rights
are tabs for rights distribution:
- Common - for distribution of a role of access to all the resources (* - all resources)
- Navigation - for distribution of a role to access the menu of the registry module. First, the system name of the project is displayed, which has a plus sign to display internal and imported resources. At this point only the rights to read the menu are distributed.
- Classes - is for distribution of a role to access to metadata classes. First, the system name of the project is displayed, which has a plus sign to display internal and imported resources. You can set separate rights for these resources.
- Delete role. To delete a role select the required role on the page
/ionadmin/security/role
and click the “Delete” button.
Confirm the deletion of the role.
Resource access¶
When managing roles in access rights, the following access is provided to each resource:
Access | Description |
---|---|
Full access | Includes all accesse types. You cannot select full access and additional access to read, edit, delete or use. For navigation, only the read access is granted. |
Read | The ability to read resource objects |
Write | The ability to edit resource objects, not used for navigation |
Delete | The ability to delete resource objects, not used for navigation |
Usage | The ability to create resource objects, not used for navigation |
Access can be assigned to the entire resource group or separately to each resource and access in it.
User management¶
An the page / ionadmin / security / user
you can create, edit or delete users:
- Create user. Press the “Create” button on the
/ionadmin/security/user
page to create a user.
You will be redirected to a new page, where you need to specify the username, password, description in the name. Click the “Save” button to confirm the creation of the specified user.
- Edit user. Select the required user at the page
/ ionadmin / security / user
and press the “Edit” button to edit the user.
You will be redirected to a new page, where the following fields are displayed on the form:
Type
- type of user account, only local users are available in the admin panel.
Login
- user ID.
Password
- user password.
Name
- user’s name which may contain expressions in Russian, for example, full name.
Roles
- a list of user roles. If the role is ticked, the role is tied to the user.
- Delete user. Choose the user at the
/ionadmin/security/user
page and press the “Delete” button to delete the user.
Confirm the deletion of the user.
User authentication settings. Password requirements.¶
The password requirements are set in the ini-file of the application, after which the variables must be declared in the application configuration file *deploy.json *.
In the file setup.ini:
auth.passwordLifeTime=90d # Максимальный срок действия пароля
auth.passwordMinPeriod=75d # Минимальный срок действия пароля
auth.passwordMinLength=8 # Минимальная длина пароля
auth.passwordJournalSize=5 # Число уникальных новых паролей пользователя до повторного использования старого пароля
auth.tempBlockInterval=30m # Время до сброса счетчика блокировки
auth.attemptLimit=6 # Количество неудачных попыток входа в систему, приводящее к блокировке учетной записи пользователя
auth.tempBlockPeriod=30m # Продолжительность блокировки учетной записи
auth.sessionLifeTime=4h # Время жизни авторизованной сессии, при отсутствии активности
The duration is set in the format: [duration][unit]
Unit | Value |
---|---|
y |
Year |
d |
Day |
h |
Hour |
m |
Minute |
s |
Second |
In the file deploy.json:
NB: Нужно обязательно, чтобы стояла настройка "parametrised": true, на уровне "global"
{
"parametrised": true,
"globals": {
"plugins":{
"auth": {
"module": "lib/auth",
"initMethod": "init",
"initLevel": 2,
"options": {
"app": "ion://application",
"logger": "ion://sysLog",
"dataSource": "ion://Db",
"acl": "ion://aclProvider",
"passwordLifetime": "[[auth.passwordLifeTime]]", // максимальный срок действия пароля
"passwordMinPeriod": "[[auth.passwordMinPeriod]]", // минимальный срок действия пароля
"passwordMinLength": "[[auth.passwordMinLength]]", // минимальная длина пароля
"passwordComplexity": { // требования к сложности пароля
"upperLower": true, // требование использовать буквы в разном регистре
"number": true, // требование использовать числа
"special": true // требование использовать спецсимволы
},
"passwordJournalSize": "[[auth.passwordJournalSize]]", // ведение журнала паролей
"tempBlockInterval": "[[auth.tempBlockInterval]]", // счетчик блокировки
"attemptLimit": "[[auth.attemptLimit]]", // пороговое значение блокировки
"tempBlockPeriod": "[[auth.tempBlockPeriod]]" // продолжительность блокировки
}
}
}
}
}