Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 28 Next »


Describes how messages requesting operation on a collection are checked against the permission model.  

Authorisation

The process of authorising operations is to ensure that the client requesting an operation is allowed to do so. To authorise an operation it is a prerequisite that the message has been authenticated as described in Authentication.

Components participating in a Bit Repository where RequireOperationAuthorization in RepositorySettings have been set to true is required to authorise any operation prior to performing them. 

To authorise an operation a component must use the certificate used to sign the request and lookup its permissions in RepositorySettings.

  • The operation can be authorised if the signing certificate have a suitable OperationPermission, see the Operation Permission model section for details.
  •  
    • An OperationPermission for the specific operation (Protocol messages) or the special "All" OperationPermission the s
    • And the OperationPermission applies for the given Collection
    • And the requesting components ID is present in OperationPermissions ComponentIDs list (if not present no restriction is applied to component IDs). 
  • If no OperationPermission suitable for the requested Operation can be found the component should reject the operation. 
    • In the event that the request is not an IdentifyRequest, i.e. an OperationRequest, the component should also send an Alarm to notify of the unauthorised request. 

Operation Permission model


  • The operation can be authorised if the signing certificate have:
    • An OperationPermission for the specific operation (Protocol messages) or the special "All" OperationPermission the operation
    • And the OperationPermission applies for the given Collection
    • And the requesting components ID is present in OperationPermissions ComponentIDs list (if not present no restriction is applied to component IDs). 
  • If no OperationPermission suitable for the requested Operation can be found the component should reject the operation. 
    • In the event that the request is not an IdentifyRequest, i.e. an OperationRequest, the component should also send an Alarm to notify of the unauthorised request. 


  • No labels