.. _`Access Control Configuration`: ############################ Access Control Configuration ############################ *This section provides a detailed description of the OpenSplice access control policy configuration.* Each configuration parameter will be explained by means of an extensive description together with the tabular summary that contains the following information: **Full path** - Describes the location of the item within a complete configuration. Because the configuration is in XML format, an XPath expression is used to point out the name and location of the configuration item. **Format** - Describes the format of the value of the configuration item. **Dimension** - Describes the unit for the configuration item (for instance *seconds* or *bytes*). **Default value** - Describes the default value that is used by the service when the configuration item is not set in the configuration. **Valid values** - Describes the valid values for the configuration item. This can be a range or a set of values. If the configuration parameter is an XML *attribute*, the table also contains the following information: **Required** - Describes whether the attribute is required or if it is optional. If the configuration parameter is an XML *element*, the table also contains the following information: **Occurrences** - Describes the range of the possible number of occurrences of the element in the configuration by specifying the minimum and maximum number of occurrences. .. _`Access Control Policy Elements`: Access Control Policy Elements ****************************** When access control is enabled a file containing the access control policy configuration is referenced in the secure networking configuration. The access control policy configuration expects a root element named ``accessControlPolicy``. Elements defined in an access control policy are listed and explained in the following sections. Element secrecyLevels/secrecyLevel ================================== The access control policy contains a hierarchical list of secrecy levels which are grouped under the ``secrecyLevels`` element. Typical secrecy levels would be: ``UNCLASSIFIED``, ``RESTRICTED``, ``CONFIDENTIAL``, ``SECRET``, and ``TOP_SECRET``. |caution| Note that the order of defined secrecy levels is important: secrecy levels are listed from weakest to strongest. .. tabularcolumns:: | p{3cm} | p{11.9cm} | +-------------+--------------------------------------------------------+ | Full Path | accessControlPolicy/secrecyLevels/secrecyLevel | | | | +-------------+--------------------------------------------------------+ | Format | string | +-------------+--------------------------------------------------------+ | Dimension | none | +-------------+--------------------------------------------------------+ | Default | none | | Value | | +-------------+--------------------------------------------------------+ | Valid | any | | Values | | +-------------+--------------------------------------------------------+ | Occurrences | 0 - * | | (min-max) | | +-------------+--------------------------------------------------------+ | Remarks | Listed from the weakest to the strongest level. | | | | +-------------+--------------------------------------------------------+ Element integrityLevels/integrityLevel ====================================== The access control policy contains a list of integrity levels which are grouped under the ``integrityLevels`` element. |caution| The order of defined integrity levels is important. Integrity levels are listed from the weakest to the strongest. .. tabularcolumns:: | p{3cm} | p{11.9cm} | +-------------+--------------------------------------------------------+ | Full Path | accessControlPolicy/integrityLevels/integrityLevel | | | | +-------------+--------------------------------------------------------+ | Format | string | +-------------+--------------------------------------------------------+ | Dimension | none | +-------------+--------------------------------------------------------+ | Default | none | | Value | | +-------------+--------------------------------------------------------+ | Valid | any | | Values | | +-------------+--------------------------------------------------------+ | Occurrences | 0 - * | | (min-max) | | +-------------+--------------------------------------------------------+ | Remarks | Listed from the weakest to the strongest level. | | | | +-------------+--------------------------------------------------------+ Element users/user ================== The ``users`` section contains a set of users. A user has an *id*, a *clearance*, and a list of *authentication mechanisms*. Element id ---------- .. tabularcolumns:: | p{3cm} | p{11.9cm} | +-------------+--------------------------------------------------------+ | Full Path | accessControlPolicy/users/user/id | | | | +-------------+--------------------------------------------------------+ | Format | string | +-------------+--------------------------------------------------------+ | Dimension | none | +-------------+--------------------------------------------------------+ | Default | none | | Value | | +-------------+--------------------------------------------------------+ | Valid | any | | Values | | +-------------+--------------------------------------------------------+ | Occurrences | 0 - 1 | | (min-max) | | +-------------+--------------------------------------------------------+ | Remarks | none | | | | +-------------+--------------------------------------------------------+ Element Clearance ----------------- A clearance consists of this user’s secrecy level, integrity level, and a set of compartments. Element secrecyLevel .................... Defines this user’s secrecy level. .. tabularcolumns:: | p{3cm} | p{11.9cm} | +-------------+--------------------------------------------------------+ | Full Path | accessControlPolicy/users/user/clearance/\ | | | secrecyLevel | +-------------+--------------------------------------------------------+ | Format | string | +-------------+--------------------------------------------------------+ | Dimension | none | +-------------+--------------------------------------------------------+ | Default | none | | Value | | +-------------+--------------------------------------------------------+ | Valid | any, defined in accessControlPolicy/secrecyLevels | | Values | | +-------------+--------------------------------------------------------+ | Occurrences | 0 - 1 | | (min-max) | | +-------------+--------------------------------------------------------+ | Remarks | none | | | | +-------------+--------------------------------------------------------+ Element integrityLevel ...................... Defines this user’s integrity level. .. tabularcolumns:: | p{3cm} | p{11.9cm} | +-------------+--------------------------------------------------------+ | Full Path | accessControlPolicy/users/user/clearance/\ | | | integrityLevel | +-------------+--------------------------------------------------------+ | Format | string | +-------------+--------------------------------------------------------+ | Dimension | none | +-------------+--------------------------------------------------------+ | Default | none | | Value | | +-------------+--------------------------------------------------------+ | Valid | any, defined in accessControlPolicy/integrityLevels | | Values | | +-------------+--------------------------------------------------------+ | Occurrences | 0 - 1 | | (min-max) | | +-------------+--------------------------------------------------------+ | Remarks | none | | | | +-------------+--------------------------------------------------------+ Element compartments/compartment ................................ The ``compartments`` section contains a set of compartments this user is entitled to access. .. tabularcolumns:: | p{3cm} | p{11.9cm} | +-------------+--------------------------------------------------------+ | Full Path | accessControlPolicy/users/user/clearance/\ | | | compartments/compartment | +-------------+--------------------------------------------------------+ | Format | string | +-------------+--------------------------------------------------------+ | Dimension | none | +-------------+--------------------------------------------------------+ | Default | none | | Value | | +-------------+--------------------------------------------------------+ | Valid | any | | Values | | +-------------+--------------------------------------------------------+ | Occurrences | 0 - * | | (min-max) | | +-------------+--------------------------------------------------------+ | Remarks | none | | | | +-------------+--------------------------------------------------------+ Element authentication ---------------------- This element contains a list of authentication mechanisms for this user. |info| Currently, OpenSplice supports SSL X.509 Certificate Authentication. Other authentication mechanisms (such as user ID/password authentication) may be available in a future release. Element x509Authentication .......................... Defines properties of x509 (SSL certificate) authentication. **Element subject** .. tabularcolumns:: | p{3cm} | p{11.9cm} | +-------------+--------------------------------------------------------+ | Full Path | accessControlPolicy/users/user/authentication/\ | | | x509Authentication/subject | +-------------+--------------------------------------------------------+ | Format | string | +-------------+--------------------------------------------------------+ | Dimension | none | +-------------+--------------------------------------------------------+ | Default | none | | Value | | +-------------+--------------------------------------------------------+ | Valid | any | | Values | | +-------------+--------------------------------------------------------+ | Occurrences | 0 - 1 | | (min-max) | | +-------------+--------------------------------------------------------+ | Remarks | The distinguished name (DN) of the certificate the | | | user transmits to authenticate to the system (single | | | elements of the distinguished name have to be | | | separated by a comma). | | | | +-------------+--------------------------------------------------------+ |caution| Note that the user’s certificate DN must be unique: ensure that multiple users do not share the same client certificate DN. Element resources/resource ========================== The ``resources`` section contains a set of resources, in other words, the objects to be protected. A resource has a resource identification (made up of the resource’s type, id, and topic or partitions, respectively) and a classification (containing the resource’s secrecy and integrity level and a list of compartments). The classification is used for mandatory access control. Element type ------------ Defines the type of this resource. A resource can have the type ``PARTITION`` or ``TOPIC``. .. tabularcolumns:: | p{3cm} | p{11.9cm} | +-------------+--------------------------------------------------------+ | Full Path | accessControlPolicy/resources/resource/type | | | | +-------------+--------------------------------------------------------+ | Format | string | +-------------+--------------------------------------------------------+ | Dimension | none | +-------------+--------------------------------------------------------+ | Default | none | | Value | | +-------------+--------------------------------------------------------+ | Valid | "PARTITION" or "TOPIC" | | Values | | +-------------+--------------------------------------------------------+ | Occurrences | 0 - 1 | | (min-max) | | +-------------+--------------------------------------------------------+ | Remarks | none | +-------------+--------------------------------------------------------+ Element id ---------- Defines this resource’s id. .. tabularcolumns:: | p{3cm} | p{11.9cm} | +-------------+--------------------------------------------------------+ | Full Path | accessControlPolicy/resources/resource/id | | | | +-------------+--------------------------------------------------------+ | Format | string | +-------------+--------------------------------------------------------+ | Dimension | none | +-------------+--------------------------------------------------------+ | Default | none | | Value | | +-------------+--------------------------------------------------------+ | Valid | any valid topic or partition name of a DDS domain | | Values | | +-------------+--------------------------------------------------------+ | Occurrences | 0 - 1 | | (min-max) | | +-------------+--------------------------------------------------------+ | Remarks | This is related to the type element value. | +-------------+--------------------------------------------------------+ Element topics/topic -------------------- The ``topics`` section contains a set of topics. This element is only valid if the type of the resource is ``TOPIC``. It lists all valid topics that may be part of this partition. .. tabularcolumns:: | p{3cm} | p{11.9cm} | +-------------+--------------------------------------------------------+ | Full Path | accessControlPolicy/resources/resource/topics/topic | | | | +-------------+--------------------------------------------------------+ | Format | string | +-------------+--------------------------------------------------------+ | Dimension | none | +-------------+--------------------------------------------------------+ | Default | none | | Value | | +-------------+--------------------------------------------------------+ | Valid | any valid topic of a DDS domain | | Values | | +-------------+--------------------------------------------------------+ | Occurrences | 0 - 1 | | (min-max) | | +-------------+--------------------------------------------------------+ | Remarks | Exists only if element type = PARTITION | +-------------+--------------------------------------------------------+ Element partitions/partition ---------------------------- The ``partitions`` section contains a set of partitions. This element is only valid if the type of the resource is ``PARTITION``. It lists all valid partitions that may be part of this partition. .. tabularcolumns:: | p{3cm} | p{11.9cm} | +-------------+--------------------------------------------------------+ | Full Path | accessControlPolicy/resources/resource/\ | | | partitions/partition | +-------------+--------------------------------------------------------+ | Format | string | +-------------+--------------------------------------------------------+ | Dimension | none | +-------------+--------------------------------------------------------+ | Default | none | | Value | | +-------------+--------------------------------------------------------+ | Valid | any valid partition of a DDS domain | | Values | | +-------------+--------------------------------------------------------+ | Occurrences | 0 - * | | (min-max) | | +-------------+--------------------------------------------------------+ | Remarks | Exists only if element type = TOPIC | +-------------+--------------------------------------------------------+ Element classification ---------------------- A classification consists of this resource’s secrecy level, integrity level, and a set of compartments. Element secrecyLevel .................... Defines this resource’s secrecy level. .. tabularcolumns:: | p{3cm} | p{11.9cm} | +-------------+--------------------------------------------------------+ | Full Path | accessControlPolicy/resources/resource/\ | | | classification/secrecyLevel | +-------------+--------------------------------------------------------+ | Format | string | +-------------+--------------------------------------------------------+ | Dimension | none | +-------------+--------------------------------------------------------+ | Default | none | | Value | | +-------------+--------------------------------------------------------+ | Valid | any, defined in accessControlPolicy/secrecyLevels | | Values | | +-------------+--------------------------------------------------------+ | Occurrences | 0 - 1 | | (min-max) | | +-------------+--------------------------------------------------------+ | Remarks | none | +-------------+--------------------------------------------------------+ Element integrityLevel ...................... Defines this resource’ integrity level. .. tabularcolumns:: | p{3cm} | p{11.9cm} | +-------------+--------------------------------------------------------+ | Full Path | accessControlPolicy/resources/resource/\ | | | classification/integrityLevel | +-------------+--------------------------------------------------------+ | Format | string | +-------------+--------------------------------------------------------+ | Dimension | none | +-------------+--------------------------------------------------------+ | Default | none | | Value | | +-------------+--------------------------------------------------------+ | Valid | any, defined in accessControlPolicy/integrityLevels | | Values | | +-------------+--------------------------------------------------------+ | Occurrences | 0 - 1 | | (min-max) | | +-------------+--------------------------------------------------------+ | Remarks | none | +-------------+--------------------------------------------------------+ Element compartments/compartment ................................ The ``compartments`` section contains a set of compartments this resource is intended for. .. tabularcolumns:: | p{3cm} | p{11.9cm} | +-------------+--------------------------------------------------------+ | Full Path | accessControlPolicy/resources/resource/\ | | | classification/compartments/compartment | +-------------+--------------------------------------------------------+ | Format | string | +-------------+--------------------------------------------------------+ | Dimension | none | +-------------+--------------------------------------------------------+ | Default | none | | Value | | +-------------+--------------------------------------------------------+ | Valid | any | | Values | | +-------------+--------------------------------------------------------+ | Occurrences | 0 - * | | (min-max) | | +-------------+--------------------------------------------------------+ | Remarks | none | +-------------+--------------------------------------------------------+ Access Control Example Configuration ************************************ The following XML shows an example access control policy. :: UNCLASSIFIED CONFIDENTIAL SECRET TOP_SECRET LEVEL_0 LEVEL_1 LEVEL_2 user1 CONFIDENTIAL LEVEL_2 US Only Air Force Radar DN user2 DN2 PARTITION chat ChatMessage NamedMessage CONFIDENTIAL LEVEL_1 US Only Air Force TOPIC pingpong PING PONG TOPIC topic1 .. EoF .. |caution| image:: ./images/icon-caution.* :height: 6mm .. |info| image:: ./images/icon-info.* :height: 6mm .. |windows| image:: ./images/icon-windows.* :height: 6mm .. |unix| image:: ./images/icon-unix.* :height: 6mm .. |linux| image:: ./images/icon-linux.* :height: 6mm .. |c| image:: ./images/icon-c.* :height: 6mm .. |cpp| image:: ./images/icon-cpp.* :height: 6mm .. |csharp| image:: ./images/icon-csharp.* :height: 6mm .. |java| image:: ./images/icon-java.* :height: 6mm