Skip to main content

Overview

An Access Control List (ACL) is a set of rules that determines which users/groups can access a specific resource.

In Witboost, the ACL flow is a process that allows users to request and grant/revoke access to resources in a secure and efficient way. The ACL flow is ruled by a communication between three actors: the requester, the resource owner, and the subjects (users/groups for which the access is requested). The communications between these actors are defined by the notification system, which sends messages to inform them of the status and actions of the ACL flow.

Actors

  • Requester: The user who initiates the ACL flow by requesting access to a resource for themselves or for other users. The requester can be the same as the resource owner or a different user.
  • Resource owner: The user who owns the resource and has the authority to grant or deny access to it. The resource owner can be the same as the requester or a different user.
  • Subjects: The users/groups who are the beneficiaries of the access request. They can be the same as the requester or the resource owner, or different users.

How actors communicate

The communication between the actors of the ACL flow is handled by a system of notification. It informs the actors of the following events:

  • Access request creation: the notification system sends a message to the resource owner when a requester creates an access request for a resource. The message contains the details of the request, such as the resource name, the requester name, the users for which the access is requested and the reason for the request (optionally). The resource owner can accept or reject the request in this phase.
  • Access request approval: the notification system sends a message to the requester and the users for which the access is requested when the resource owner approves the access request. The message contains the details of the approval, such as the resource name, the resource owner and the users who have been granted access.
  • Access request rejection: The notification system sends a message to the requester when the resource owner rejects the access request. The message contains the details of the rejection, such as the resource name, the resource owner and the users who have been denied access.
  • Revoke response: The notification system sends a message to the resource owner when the revoke the owner itself requested is effective. The message contains all the details of the effective revoke, such as the resouce name, the resource owner and the users who have been revoked access.

When the access/revoke is effective, the subjects of the request will see the access in the Resource panel (like a green check icon in case of access, grey check icon in case of revoke) in the Marketplace and also in the Access Control section with the name of the subjects that have access to that resource.

What happens on the specific technology side

Granting access in Witboost is not effective only visually, but also in a concrete way. Witboost is connected to specific technologies by actions and hooks mechanism for which it can call directly an external ACL service (remote request hook) or just call its internal components that will handle all the ACL request with every registered technology.

Access Control Templates

To start leveraging Access Control on witboost, there must be an Access Control Request Template registered into the platform. The Access Control Request Template is a file that allows you to configure the list of fields that compose an Access Request or a Revoke Request. Users will be asked to fill those fields before sending the request.

All the fields that you define under the fields section of an Access Control Request Template can be forwarded to Technology Adapters and also to remote services invoked by the Remote Request Hook depending on how you choose to configure the Access Request Action.

For more details about Access Control Templates you can take a look at the dedicated section

Selecting Multiple Resources for Access Requests

Currently, Access Requests allow you to select only one resource at a time. This is because you may want to use a picker in the Access Control Template that takes some values from the resource descriptor.

However, we understand there are scenarios where selecting multiple resources might be beneficial. To address this, we offer an optional feature that enables multiple selection of resources for Access Requests. When enabling multiple selection, you will lose the ability to use pickers that depend on the resource descriptor data. To enable the feature, set the following configuration in the Witboost core project:

mesh:
marketplace:
multipleAccessRequestSelection: true