Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Security policies #153

Open
cedricfrancoys opened this issue Jun 29, 2024 · 0 comments
Open

Add Security policies #153

cedricfrancoys opened this issue Jun 29, 2024 · 0 comments
Labels
feature New feature or request security

Comments

@cedricfrancoys
Copy link
Collaborator

cedricfrancoys commented Jun 29, 2024
edited
Loading

Security policies

For all Security Policies (all) that are applicable (is_active)
We check all compliance rules for active policies for the current request.
If we find a rule for which the current request is not compliant, the request is considered non-compliant with respect to that Policy.
There must be at least one Policy for which the current request is compliant (unless no Policy is defined or active) for it to be accepted (as soon as we find a Policy for which the request is compliant, we stop testing).
This mechanism applies to each request, even if a user is already authenticated.
Security policies are managed by the AccessController service.

settings > security

  • ability to specify one or more IPs for the company (organizations configured in the software)
  • ability to define access hours (by organization & department/subsidiary)

SecurityPolicy

  • name
  • is_active
  • policy_rules_ids

SecurityPolicyRule

For a given user (all if user_id = 0), the element pointed by the policy rule type must match one of the values of the rule.

  • policy_rule_type (select: ip_address, location, user_group, user_login, time_range)
  • user_id
  • values_ids

Selection: Policy Rule Type

ip_address (IP-based Policy)

Condition: The user's IP address must be in a specific list.
Example: Allow access only to users whose IP address is in the range 192.168.1.0/24.

location (Location-based Policy)

Condition: The user's geographical location must correspond to a specific region.
Example: Allow access only to users located in the European Union.

user_group (User Group Policy)

Condition: The user must belong to a specific group.
Example: Allow access only to members of the "Administrators" group.

user_login (User Login Policy)

Condition: The username must match a specific value.
Example: Allow access only to the user with the login "john.doe".

time_range (Time-based Access Policy)

Condition: Access is only allowed at certain times of the day.
Example: Allow access only during office hours (9am-5pm).

SecurityPolicyRuleValue

Values can be direct value or a pattern.

  • policy_rule_id
  • value

Notation: Policy Rule value

ip_address

  • 192.168.1.123
  • 192.168.1.0/24
  • 192.168.*.*

location

  • ISO-3166 (BE, FR, DE, US,...)
  • pseudo-regions: EU (European Union), CIS (Commonwealth of Independent States), NA (North America), LATAM (Latin America), APAC (Asia-Pacific)

user_group

  • users
  • finance.default.admins
  • finance.*

user_login

time_range

  • mon@09:00-mon@17:00
  • wed@09:00-fri@17:00
    (times are used according to timezone setting)
@cedricfrancoys cedricfrancoys added feature New feature or request security labels Jun 29, 2024
@cedricfrancoys cedricfrancoys changed the title eq - Security policies Add Security policies Jun 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature New feature or request security
Projects
eQual
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cedricfrancoys