From 4ddb4731d77d229a696e32f71dc5a7e443938cc1 Mon Sep 17 00:00:00 2001 From: Maximilian Wesener Date: Tue, 26 Sep 2023 10:00:45 +0200 Subject: [PATCH] chore: TRACEFOSS-XXX Updated roles / rights table --- CHANGELOG.md | 1 + .../arc42/cross-cutting/safety-security.adoc | 61 +++++++++++++++++++ 2 files changed, 62 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c408f421a6..2c29b99b3c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), - Toggle for parts and other parts to switch views asPlanned/asBuilt - LocalStorage to be used for saving view setting - archunit tests as preparation for good quality architecture checks +- safety and security doc including roles matrix ### Changed - added sorting for /api/investigations received and created endpoints diff --git a/docs/src/docs/arc42/cross-cutting/safety-security.adoc b/docs/src/docs/arc42/cross-cutting/safety-security.adoc index fef055caa8..bb269b4354 100644 --- a/docs/src/docs/arc42/cross-cutting/safety-security.adoc +++ b/docs/src/docs/arc42/cross-cutting/safety-security.adoc @@ -1 +1,62 @@ = Safety and security concepts + +== Authentication / Authorization + +=== Trace-X API + +The Trace-X is secured using OAuth2.0 / Open ID Connect. +Every request to the Trace-X API requires a valid bearer token. +JWT token should also contain two claims: + +- 'bpn' which is equal to the configuration value from `API_ALLOWED_BPN` property +- 'resource_access' with the specific key for C-X environments. +The list of values will be converted to roles by Trace-X. +Currently, Trace-X API handles three roles: **'User'** and **'Supervisor'** and **'Admin'.** + +The behavior is shown in the table below. + +==== Rights and Roles Matrix of Trace-X + +|=== +| Category | Action | User | Supervisor | Admin +| View | View Dashboard | x | x | x +| | View Parts | x | x | x +| | View Other parts | x | x | x +| | View Quality investigations | x | x | x +| | View Quality alerts | x | x | x +| | View Administration | | | x + +| Investigation | Create | x | x | +| | Send | | x | +| | Read | x | x | x +| | Update | x | x | +| | Delete All | | x | +| | Delete Own | (x) | x | + +| Alert | Create | x | x | +| | Send | | x | +| | Read | x | x | x +| | Update | x | x | +| | Delete All | | x | +| | Delete Own | (x) | x | + +| Administration Panel | Access "BPN EDC config panel" | | | x +| | Access "Registry lookup Panel" | | | x + +|=== + +Legend: x = full access to all resources, (x) = access to the resources he owns + +=== Trace-X as EDC client + +The Trace-X accesses the Catena-X network via the EDC consumer connector. +This component requires authentication via a Verifiable Credential (VC), which is provided to the EDC via the Managed Identity Wallet. + +The VC identifies and authenticates the EDC and is used to acquire access permissions for the data transferred via EDC. + +== Credentials + +Credentials must never be stored in Git! + + +