User Authentication and Authorization
CATS security infrastructure for user authentication and authorization to handle both web sessions and API calls.
Goals
- Provide user authentication for web interface clients and API calls.
- Provide single-sign-on (SSO) for users who have access to more than one CATS module.
- To provide a role based user authorization system allowing system administrators define roles using a combination of permissions defined in CATS.
- User profile management for setting user options such as interface language, themes, keyboard input methods etc.
- Allow users to manage their account by performing tasks such as password reset and password changing.
Background and strategic fit
CATS security feature initially is based on ASP.NET Membership which is a strict role based user authorization method. Membership provider in ASP.NET provides basic user authorization and authentication feature but falls short for hierarchical user roles. In addition all the user roles need to be hard coded inside the application logic making not only rigid but also impossible the addition of new roles ones the application is deployed. The main goal of this library is to address the above issues by providing separate components for handling user authentication and authorization. In addition user profile management is also considered to be a key component of CATS since other libraries such as Ethiopic Date Library Package and Language Translation Package depend on user profiles.
Assumptions
- It should be easy to define new user roles with out requiring redeployment or recompilation of CATS
- It should be easy to define hierarchical roles allowing administrators to define delegation and permission inheritance between roles
- It should allow users manage their profile and account information
- It should be able to store sensitive user information in encrypted format
- It should not allow the decryption of sensitive user information such as passwords
Requirements
| # | User Story Title | User Story Description | Priority | Notes |
|---|---|---|---|---|
| 1 | Change Password
| As a user I should be able to change my password so that I can protect my user information. | High | |
| 2 | Reset Password | As a user I should be able to reset password so that I can reclaim my user information if I lost my password | High | |
| 3 | Create Users | As an administrator I want to create users so that they can log into CATS | High | |
| 4 | Assign Roles | As an administrator I want to assign roles to users so that they can access information relevant to their permission levels | High | |
| 5 | Create Role Hierarchy | As an administrator I want to create role hierarchy so that I can simplify permission management in CATS | Medium | |
| 6 | Associate Permissions to Roles | As an administrator I want to associate permissions to roles so that I will be able to define the access level for users. | High | |
| 7 | Manage User Profile | As a user I want to manage my profile so that I will be able to configure CATS according to my interests | High | |
| 8 | Configure Roles | As a CATS administrator I want to be able to manage roles within the system so that I'll be able to manage user permissions | High | |
| 9 | Associate Roles with Permissions | As a CATS administrator I want to be able to associate roles with permissions so that I'll be able to define authorisation for CATS. | High | |
| 10 | Create Roles | As CATS administrator I want to be able to create new roles so that I'll be able to provide users the required level of permissions to access CATS | High | |
| 11 | Get all permissions for a user | As a developer I want to be able to get the list of all permissions a user is authorized so that I can use it to render the requested page/UI according to his/her permission level. | High |
User interaction and design
Questions
Below is a list of questions to be addressed as a result of this requirements document:
| Question | Outcome |
|---|---|