mydigitalstructure

Security

Controlling access to an organisations data is based on the two key concepts of authentication (Who is it?) & authorisation (What can be seen & done?)

Authorisation is based on a combination of functional and relational access policies/controls.

In a space that holds the data for a single organisation, most of the access controls are functional.

In a space that holds the data for many organisations, eg a collaboration space representing a network of organisations and their relationship to each other, then more of the access controls are relational, supported by functional access controls.

Functional

Relational
Access to data is based on the ability to invoke functions on the data objects and field restrictions.
Access to data is based on relational data* within the space.
* Relationships between contacts & users (represented by their linked contact record).
Access is set up by the space administrator based on user roles (static). Access policy changes as data changes (reflective).
Design/administrator driven. User driven (via the creation of relationships) based on functional access and existing relational access.
Item Description
Relational access control (paths)
Based on links (relationships) between users and contacts (organisations & individuals)
Paths
Relational access control (sharing example)
Based on links (relationships) between users and contacts
Quick Start Security Relationship Manager
Relational access control type
  • none: No relational restrictions can see all data as per functional access.
  • standard: Can only see data linked to contacts that the user has a relationship with, and details of contacts that are linked to users within the space.
  • tight: Can only see data linked to contacts that the user has a relationship with.
Functions
mydigitalstructure._util.security.share.link:
  • add: shareWithGUID:, shareWithGUIDType: ['user', 'contact_person'], onComplete:, sharedByContact: , sharedByType: ['person', 'business']
  • remove: shareGUID:
  • find: shareType: ['shared_by_me', 'shared_by_my_business', 'shared_with_me']
Also available as controller: util-security-share-link.
Requires version mydigitalstructure 3.3.7 or later and mydigitalstructure.util version 3.8.4 or later.
Sharing Controllers
Name Description
util-security-share-add
  • shareWithUser:
  • sharedByContact:
  • sharedByType: 'contact_person', 'user'
util-security-share-find
  • shareType: 'shared_by_me', 'shared_with_me', 'shared_by_my_business'
util-security-share-setup
  • shareUserRoleTitle:
  • shareType: ['sharedBy']
Create the user roles required to enable sharing.
Bob the sharer example
Bob (user) needs to be able to share his information with Jane (user).
Bob Jane
Type Shared By Shared With
Contact GUID 431dbdd4-50e5-44f2-bd81-8d9519f7bf0a 21e8456f-a44c-4746-9d32-3cff439198a8
Action Code
Log on as Bob and share with Jane 
mydigitalstructure._util.security.share.link.add({
 shareWithGUID: '21e8456f-a44c-4746-9d32-3cff439198a8',
 shareWithGUIDType: 'contact_person',
 sharedByType: 'person'
});
Bob see his shares 
mydigitalstructure._util.security.share.link.find(
{
 shareType: 'shared_by_me'
);
Bob removes a share 
mydigitalstructure._util.security.share.link.remove(
{
 shareGUID: '[GUID from .find()]'
);
Method based data access control
Controlling the share methods
  • When setting field based restrictions use [[user]], [[contactperson]] or [[contactbusiness]] to set allowedvalues and disallowed values dynamically. Field must be of data type Numeric.
Security object
 
userDataPolicy =
{
 access:
 {
  all: true
  onlyOwn: true
 },
 share:
 {
  canRequestShare: true
  canSetupShare: true
 }
}

Controlling the View

You can control if content is shown using the following controllers/methods.
User Role based Access Controllers
Name Description
util-security-access-check
  • roles: [{title:, id:}]
Returns true/false based on if authenticated user has roles:. If title is not set then checks based on id:
util-security-access-view-show
  • roles: [{title:, id:}]
  • selector: element(s) selector
Shows the elements if authenticated user has roles:. If title is not set then checks based on id:
util-security-access-view-hide
  • roles: [{title:, id:}]
  • selector: element(s) selector
Hides the elements if authenticated user has roles:. If title is not set then checks based on id:

Using With The View Queue

You can control if content is added to the view queue or view queue is shown/rendered based on setting user roles.
Initialising the view queue
You can set the user roles during intialisation. Content will only be added or rendered if the user has one of the user roles.
app.vq.init({queue: 'myqueue', roles: [{ title: 'User Role 1', title: 'User Role 2'}]})
Adding to the view queue
You can set the user roles when adding to the view queue. Content will only be added if the user has one of the user roles.
app.vq.add('<div>Hello</div>', {queue: 'myqueue', roles: [{ title: 'User Role 1', title: 'User Role 2'}]})
Showing/rendering the view queue
You can set the user roles when rendering the view queue. Content will only be rendered if the user has one of the user roles.
app.vq.init({queue: 'myqueue', roles: [{ title: 'User Role 1', title: 'User Role 2'}]})

Using with the util-view-table controller

You can control if the table or a column is shown based on setting user roles.
Showing the whole table
Table will only be shown if the user has one of the user roles.
app.invoke('util-view-table', { ..., roles: [{ title: 'User Role 1', title: 'User Role 2' }] })
Showing columns
Table column will only be added if the user has one of the user roles.
app.invoke('util-view-table', { .., columns: [{... roles: [{ title: 'User Role 1', title: 'User Role 2'}] }] }

Testing

As per above, relational data access is based on the contact (person) that is linked to the user.
To test the relational data access of a particular user, create another user and link it to the same contact (person).
To test the functional access of a particular user, create another user and assign it the same user role(s).

Resources

Access using responsive controls