Access controls¶
Altair SLC Hub implements a role-based access control system. A Role is a named entity that provides a set of permissions which can be associated directly with a user, or can be associated with groups. The set of permissions a user has is the union of the permissions associated with any roles directly assigned to the user and the roles associated with any groups the user is a member of, directly or indirectly.
Although it is possible to assign roles directly to users, the recommendation is to assign roles to groups, and then assign users to those groups. A hub installation contains a set of default groups that provide different levels of permissions for the functional areas of Altair SLC Hub. The reference of these groups and their permissions can be used to identify the required group or groups for other permissions, see Default groups.
Access Control Recommendations¶
Recommendations for implementing custom access control rules in Altair SLC Hub.
Keep roles small and with single responsibility¶
In general roles should be kept small and have a single responsibility in terms of the permissions they grant. This allows for better composition of roles using groups.
Compose roles using groups¶
Although roles cannot be directly composed, it is possible to make groups a member of other groups. It is therefore possible to create a "hierarchy" of groups where some groups inherit the roles of other groups.
For example, if group A is made a member of group B, then any user that is a member of group A is also indirectly a member of group B. Any roles assigned to group B are inherited by group A.
For example, the installation HubUsers group is a base group and has bindings to basic roles. A group could be created of FinanceUsers that is a member of the HubUsers group to inherit all the roles assigned to that group. The FinanceUsers group could then have additional roles assigned to provide additional permissions that such users would need. A group could then be created called FinanceAdministrators that was then made a member of the FinanceUsers group. The FinanceAdministrators group would inherit all the roles assigned to the FinanceUsers group, and the roles assigned to the HubUsers group. The FinanceAdministrators group could then be assigned additional roles to provide additional permissions that such users would need.