Property Permission questions

nhat-round-cloud · November 22, 2024, 3:12am

Hi there,

I’m from the Insurance project working at T.N.U.G team and maintaining Quote To Bind solution.
Context:

We split the BAP application w/o any models and configurations.
Our customers are BAs, they will use a Docker setup with images of BAP to mount those models and configurations to achieve the requirements of external customers.

We are using Property permission with the following libraries:

# A12 versions
a12BaseVersion=27.1.0
a12UaaVersion=7.5.1
a12KernelVersion=28.5.1
a12FormEngineVersion=36.7.2
a12DataServicesVersion=36.3.7

and with a small setup:

@PreAuthorize("hasUAAPropertyPermission(#event.persistedDocument,#event.updatedDocument )")
@DataServicesEventListener
public void beforeUpdateEvent(final DocumentBeforeUpdateEvent event) {}

I would like to discuss the feature with the following topics below:

All property permissions will be checked, and all policy-refs will be checked as well. But the problem is that if all policies are checked in property permissions, then we have to consider of target and rules in those policies.
++ If we add more conditions on the policy target → when the target is not satisfied then the policy returns true → property permission will be applied to the resource afterwards.
++ If we avoid using the target then when the rules are not passed => the logs will keep spamming us, e.g.

2024-11-22 09:18:13,358 [ttp-nio-7766-exec-10][INFO ][on.property.internal.AbstractDataMasking][u:mgmadmin][processId:] - Resource class[com.mgmtp.a12.kernel.md.document.internal.service.impl.DocumentImpl]: Masking resource data...
2024-11-22 09:18:13,373 [ttp-nio-7766-exec-10][INFO ][ity.spel.internal.UAAPolicyDecisionPoint][u:mgmadmin][processId:] - Policies [Contract on offer-created status, Is Contract Document] in Permission {Property rights per: User can only update partially field on offer-created status} have failed in context[465086223]
2024-11-22 09:18:13,374 [ttp-nio-7766-exec-10][INFO ][ity.spel.internal.UAAPolicyDecisionPoint][u:mgmadmin][processId:] - Policies [Contract on policy-created status, Is Contract Document] in Permission {Property rights per: User can not update offer on policy-created status} have failed in context[465086223]
2024-11-22 09:18:13,375 [ttp-nio-7766-exec-10][INFO ][ity.spel.internal.UAAPolicyDecisionPoint][u:mgmadmin][processId:] - Policies [Is Contract Document] in Permission {Property rights per: Users can access Contract Document} have failed in context[465086223]
2024-11-22 09:18:13,375 [ttp-nio-7766-exec-10][INFO ][ity.spel.internal.UAAPolicyDecisionPoint][u:mgmadmin][processId:] - Policies [Is Broker Document, Account Is System Admin || Account Is Administrator || Broker manager can create and update Broker document] in Permission {Property rights per: Users can access Broker Document} have failed in context[465086223]
2024-11-22 09:18:13,375 [ttp-nio-7766-exec-10][INFO ][ity.spel.internal.UAAPolicyDecisionPoint][u:mgmadmin][processId:] - Policies [Account Is System Admin || Account Is Administrator || Broker user can access his her Company Client document and his her created Client document, Is Client Document] in Permission {Property rights per: Users can access Client Document} have failed in context[465086223]
2024-11-22 09:18:13,375 [ttp-nio-7766-exec-10][INFO ][on.property.internal.AbstractDataMasking][u:mgmadmin][processId:] - Resource class[com.mgmtp.a12.kernel.md.document.internal.service.impl.DocumentImpl]: Masking resource data...
2024-11-22 09:18:13,386 [ttp-nio-7766-exec-10][INFO ][ity.spel.internal.UAAPolicyDecisionPoint][u:mgmadmin][processId:] - Policies [Contract on offer-created status, Is Contract Document] in Permission {Property rights per: User can only update partially field on offer-created status} have failed in context[2018554287]
2024-11-22 09:18:13,387 [ttp-nio-7766-exec-10][INFO ][ity.spel.internal.UAAPolicyDecisionPoint][u:mgmadmin][processId:] - Policies [Contract on policy-created status, Is Contract Document] in Permission {Property rights per: User can not update offer on policy-created status} have failed in context[2018554287]
2024-11-22 09:18:13,388 [ttp-nio-7766-exec-10][INFO ][ity.spel.internal.UAAPolicyDecisionPoint][u:mgmadmin][processId:] - Policies [Is Contract Document] in Permission {Property rights per: Users can access Contract Document} have failed in context[2018554287]
2024-11-22 09:18:13,389 [ttp-nio-7766-exec-10][INFO ][ity.spel.internal.UAAPolicyDecisionPoint][u:mgmadmin][processId:] - Policies [Is Broker Document, Account Is System Admin || Account Is Administrator || Broker manager can create and update Broker document] in Permission {Property rights per: Users can access Broker Document} have failed in context[2018554287]
2024-11-22 09:18:13,390 [ttp-nio-7766-exec-10][INFO ][ity.spel.internal.UAAPolicyDecisionPoint][u:mgmadmin][processId:] - Policies [Account Is System Admin || Account Is Administrator || Broker user can access his her Company Client document and his her created Client document, Is Client Document] in Permission {Property rights per: Users can access Client Document} have failed in context[2018554287]
2024-11-22 09:18:13,390 [ttp-nio-7766-exec-10][INFO ][on.property.internal.AbstractDataMasking][u:mgmadmin][processId:] - Resource class[com.mgmtp.a12.kernel.md.document.internal.service.impl.DocumentImpl]: Masking resource data...

We can’t define the property permissions for only 1 document model (If so other data of other models will be broken)
++ In the some business use cases, the property permissions are not necessary for some document models. This issue causes the UAA authentication JSON file to continuously grow and we may lose control of it since with our infrastructure some portals can’t enable debugging on IntelliJ because they’re using a docker setup.
=> Or is there any way to define the property permissions for only 1 document model?
With some use cases, the entity should be read-only → but then Authorization File Validation is not allowing to leave the block WIRE empty. How can we support this case properly? I have to do this: "WRITE": ["User can not update"] and it seems a workaround solution to avoid your validations?

Example authorization JSON file in Dev-Dpos (for development portal only):
dposAuthorizationDefinition.json (26.9 KB)

Questions:

It would be nice if we could decide which property permissions will be applied to which model. Maybe the Target feature for propertyPermissions will help.
Are you considering this?
Would you allow defining the WRITE permission as empty for read-only cases?

I’m looking forward to hearing from experts!

Best regards!
Nhat Cong Nguyen.

tuan-stable-gale · December 5, 2024, 4:14am

hi @nhat-round-cloud

in property authorization specific and Authorization in general, we would like to apply principal “access denied by default” therefore we will check Authorization for all models which you have (assume you have central authorization call for checking all models).
- May be, you can implement “model filtering” in your project as wrapper and actively call UAA Authorization check if it matches models which you configured
you can remove WRITE definition, as long as you declare an array it requires as least 1 item.
logging failed authorization check is important to know which Authorization rules are failed. Therefore, if your project really don’t need these information you can actively disable the log of that class.

I hope this helps.

Best regards,
Tuan Do

denise-narrow-token · December 19, 2024, 6:52pm

Hi @nhat-round-cloud,
has your question been answered or do you need further support? If it is solved, please, use the checkbox to mark the solution to your problem so that other users also know what helped in your case.
Thanks in advance!
Denise from the Discourse team