Permissions Administration
This article describes how administrators can manage RWX permissions for ModelOp Center.
Table of Contents
Introduction
ModelOp Center leverages the read/write/execute (RWX) access control model, a widely recognized framework for managing and enforcing access rights. This model simplifies administration by assigning RWX permissions to specific groups based on their responsibilities. Additionally, it allows for granular control, enabling administrators to extend access and execution rights of ModelOp Center entities beyond their initially onboarded groups.
RWX is designed for scalability, making it suitable for organizations of any size. As an organization grows and changes, administrators can easily add or modify group permissions, ensuring that access control remains efficient and adaptable to evolving business needs.
By assigning precise permissions, RWX restricts unauthorized access and prevents users from performing actions outside their assigned privileges. This adherence to the principle of least privilege ensures that users only access resources necessary for their tasks, thereby minimizing the risk of security breaches and internal threats.
Note that RWX permissions management is exclusively available to Administrators.
RWX Configuration
RWX is available only when enabled through the following configuration:
modelop:
security:
mode: rwx
On start-up, ModelOp Center can grant some or all RWX permissions depending on the specified configuration. With the following configuration:
modelop:
security:
group-access-rights:
# these apply to any collections not listed below.
# defaults to RWX when the property is not set
default-permissions: read, write, execute
collection-permissions:
# list style
stored-model:
- read
- write
# csv style
deployable-model: read, write
ModelOp Center will grant read, write, and execute permissions for all collections of entities except "Business Models and Monitors" (stored models) and “Snapshots” (deployable models) for which users will only get read and write permissions.
Once ModelOp Center is up, it can be used to modify the existing RWX permissions or add new ones through the “User permissions” view.
RWX Permissions Example
In ModelOp Center, RWX permissions consist of:
Entity Owner - The group owning the entity and granting permissions to the given entity
Entity - The collection of entities to which the permission value(s) apply
Group - The group to which permissions are granted
Permission value(s) - The set of granted permissions (read, write, and/or execute).
As an example, consider the following RWX permission where the Entity Owner
"astronomy" grants Group permissions
"Read" to Group
"biology" for Entity
"Business Models and Monitors":