... | @@ -53,10 +53,12 @@ Server components usually log any action they are requested to perform. And sinc |
... | @@ -53,10 +53,12 @@ Server components usually log any action they are requested to perform. And sinc |
|
|
|
|
|
Once a caller's access group has been established, services determine whether that access group is allowed to perform the requested action. Some actions are subject to hard-coded access rules, such as [data structure](Data-structure) management being limited to the `Data Administrator` access group.
|
|
Once a caller's access group has been established, services determine whether that access group is allowed to perform the requested action. Some actions are subject to hard-coded access rules, such as [data structure](Data-structure) management being limited to the `Data Administrator` access group.
|
|
|
|
|
|
## Data access
|
|
# Data access
|
|
|
|
|
|
Data access rules are not hard-coded in PEP. Instead data access is subject to access rules that can be configured by a member of the `Access Administrator` access group. This restriction, in turn, is hard-coded into PEP: it is not possible to grant access rule configuration privileges to other access groups.
|
|
Data access rules are not hard-coded in PEP. Instead data access is subject to access rules that can be configured by a member of the `Access Administrator` access group. This restriction, in turn, is hard-coded into PEP: it is not possible to grant access rule configuration privileges to other access groups.
|
|
|
|
|
|
|
|
## Access rules
|
|
|
|
|
|
Data access management requires a `Data Administrator` to have [configured column and participant groups](Data-structure#grouping). An `Access Administrator` then configures access rules on the basis of these groups:
|
|
Data access management requires a `Data Administrator` to have [configured column and participant groups](Data-structure#grouping). An `Access Administrator` then configures access rules on the basis of these groups:
|
|
|
|
|
|
- Access groups can be granted access to specific (named) column groups.
|
|
- Access groups can be granted access to specific (named) column groups.
|
... | @@ -67,3 +69,15 @@ Data access management requires a `Data Administrator` to have [configured colum |
... | @@ -67,3 +69,15 @@ Data access management requires a `Data Administrator` to have [configured colum |
|
- @@@TODO: describe `access` access@@@
|
|
- @@@TODO: describe `access` access@@@
|
|
|
|
|
|
To be able to retrieve any data from PEP, users will need access to at least one column group *and* at least one participant group. When they are granted access to further column and/or participant groups, they'll be able to read and/or write any combination of cells matching the configured access rules. It is not possible to grant access to specific combinations of column and participant groups, e.g. "these columns for these participants, and those other columns for those other participants". If needed, such fine-grained access can be configured by assigning users to multiple access groups, and then granting appropriate privileges to those separate access groups. Users will need to [enroll](#enrollment) separately for each access group. Note that they'll receive [heterogeneous identifiers](Pseudonymization#identifiers-in-pep) for the different data sets, preventing them from being blended.
|
|
To be able to retrieve any data from PEP, users will need access to at least one column group *and* at least one participant group. When they are granted access to further column and/or participant groups, they'll be able to read and/or write any combination of cells matching the configured access rules. It is not possible to grant access to specific combinations of column and participant groups, e.g. "these columns for these participants, and those other columns for those other participants". If needed, such fine-grained access can be configured by assigning users to multiple access groups, and then granting appropriate privileges to those separate access groups. Users will need to [enroll](#enrollment) separately for each access group. Note that they'll receive [heterogeneous identifiers](Pseudonymization#identifiers-in-pep) for the different data sets, preventing them from being blended.
|
|
|
|
|
|
|
|
## Tickets
|
|
|
|
|
|
|
|
To access data stored in PEP, users must specify the row(s) and column(s) that they wish to access. As a matter of convenience, PEP also allows [row and column groups](Data-structure#grouping) to be specified. Users must also indicate whether they'll want `read` or `write` access, or both. A user then submits a request to PEP's Access Manager (AM) server, which checks the configured [access rules(#Access-rules):
|
|
|
|
|
|
|
|
- If `read` access is requested, the user's access group must have `read` privileges for the requested column(s).
|
|
|
|
- If `write` access is requested, the user's access group must have `write` privileges for the requested column(s).
|
|
|
|
- If participant groups have been specified, the user's access group must have `enumerate` privileges for the requested participant group(s).
|
|
|
|
|
|
|
|
If the user has the required privileges, AM authorizes the data access. Access Manager (AM) and Transcryptor (TS) services then perform complementary actions to issue a data access ticket. By requiring an interplay between AM and TS, even if one of these services' security is compromised, unauthorized data access will be prevented in many cases because the other service will (in most cases) refuse to cooperate with the compromised service. Also, since both services generate logging for any ticket being issued, all data access can be audited.
|
|
|
|
|
|
|
|
Successfully issued tickets are returned to the user, who can present it to PEP's Storage Facility to access any data covered by the ticket. A ticket can be used multiple times within its validity period of 24 hours. If users wish to access the same data after this time, they must have PEP issue a new ticket to them. |
|
|
|
\ No newline at end of file |