Authorization
Note that this does not cover details on how authorization works. In order to get a full understanding of the concepts involved, please refer to the user documentation: WebTSM Services Authorization
Introduction
All successfully authenticated clients may access the service as well as read and write data from any configured repository by default. Deleting data is not allowed by default.
Changing the default permissions is possible by setting up custom authorization rules.
Configuring Authorization Rules
In order to add new authorization rules or change existing rules it is necessary to be the owner of any rule or respectively the owner of the rule that is to be changed or deleted.
When setting up authorization rules this behaviour may not always be practical. To circumvent this restriction the following HAKOM.Config setting may be used:
<HAKOMConfiguration>
<products>
<WebTSMServices>
<Authorization>
<DisableOwnerCheck>true</DisableOwnerCheck> <!-- Default: false -->
</Authorization>
</WebTSMServices>
</products>
</HAKOMConfiguration>With this setting configured as "true" the WebTSM Services will not check for ownership of rules when a user tries to add, change or delete authorization rules, allowing for unrestricted modification of authorization rules. Since this configuration effectively gives admin rights to all users, caution is advised when enabling the setting. By default the setting is configured as "false".
Disabling the owner check provides the following benefits:
Easy initial setup of authorization rules
Authorization rules with owner "Unknown" can be changed via the WebTSM Services; no specific database scripts are necessary
Fail-safe in case of accidentally locking out the owner of a rule
Easy cleanup of any rules, including rules with invalid ownership claims
Note that starting with version 3.10.5.2, this setting is being moved to
<HAKOMConfiguration>
<products>
<HAKOMFramework>
<settings>
<Authorization>
<DisableOwnerCheck>true|false</DisableOwnerCheck>
</Authorization>
</settings>
</HAKOMFramework>
</products>
</HAKOMConfiguration>While the setting is still supported at the previous location, this support will be removed in an upcoming release and service operators should adjust their configuration files as soon as possible.
Discarding Claim Types
Claim Values with more than 255 characters lead to exceptions in the database. The <DiscardedClaimTypes> configuration entry allows to specify a list of claim types, delimited by semicolons ;, which will be discarded, meaning that they won’t be considered for the authorization. All other remaining claims will be truncated to 255 characters.
Please note that this setting is only supported under the new location.
<HAKOMConfiguration>
<products>
<HAKOMFramework>
<settings>
<Authorization>
<DiscardedClaimTypes Extend="true|false">iss;preferred_username</DiscardedClaimTypes>
</Authorization>
</settings>
</HAKOMFramework>
</products>
</HAKOMConfiguration>If no claim types are specified inside the <DiscardedClaimTypes> tag, a default list of claim types will be discarded. The default list includes the following claim types:
iat
nbf
exp
aio
rh
uti
ver
xms_cc
In order to extend the default list with more claim types, the attribute Extend can be set to true. Per default this attribute is set to false which overwrites the default list.
Authorization Rule Caching
Authorization rules, i.e. whether a user may delete time series, etc, are retrieved from the database. In order to improve performance, these rules may be cached locally. The following settings are available for configuring the cache:
<HAKOMConfiguration>
<products>
<WebTSMServices>
<Caching>
<Expiration>00:01:00</Expiration> <!-- Default: 01:00:00 one hour -->
<Enabled>true</Enabled> <!-- Default: true -->
</Caching>
</WebTSMServices>
</products>
</HAKOMConfiguration>