Security Overview

Derick Larson
Platform Admins

When we discuss security in this article, we are referring to access, not authentication. This means we are referring to what someone has access to within the system, not the method of determining whether their password is valid and allowing them into the system.

Security for platform components is handled by Security Policies. Security policies are something defined by a system admin and can be as simple or complex as necessary. These policies can incorporate a variety of information, including the user's indentity, teams, roles, and more.

Security policies can be used, in some cases, to determine access to the platform consoles themselves.

Creating Security Policies

Security Policies are created in the same manner, regardless of the level they are created for. You may have different information depending on the level, but creating the policy is the same.

Rules are built (written) using KSL, a scripting language created for such things. See the related KSL article for more information on KSL and for sample security policies.

Each Policy Rule console has the same fields:

  • Name. Descriptive name for the rule
  • Type. Drop-down list of options for the rule depending on where you are in the Request console (Space or Kapp).
  • Message. Message presented if the rule resolves to False
  • Rule. KSL that resolves to True or False

Security Policy Precedence

Security policies are defined in different places, depending on where they are applied. If no policy is defined, then the policy is used from the next highest level.

In level order:

  1. Form
  2. Kapp
  3. Space

Consoles

In general, you need to be a Space Admin to have access to the consoles.

If you allow a user access to Form Modification, they have access to the kapp the form is part of. they can see other consoles in the kapp, but cannot make changes.

Each kapp also has a setting for kapp visibility and kapp modification. While kapp visibility is just to see the forms for the kapp, kapp modification allows a user to have access to the kapp consoles.

kapp security settings kapp security settings are in the Settings console for the kapp, under the Security tab.

You can also see the default values for form security permissions that are set here.

Form Security Policies

There are four options for Security Policies for Forms. They control form modification and visibility, and submision access and modification. security console Another option is to set the form to anonymous. This option is featured in another article because it's not specifically a security option.

Each of the four options has the same list of choices.

  • Form Display.
  • Form Modification.
  • Subbmission Access.
  • Submission Modification.

Workflow Options

Access to workflow, task trees, is controlled by Policy Rules. The format is similar to what is described above except that ruby is used and there is no type field.

One feature that is particular to workflow security rules is that the element they are attached to is also shown at the bottom of the rule.

Here is an example of API Policy Rules: workflow policy rule

API (task tree normally) access is restricted per Source, so at the bottom of each Rule, you can select a source to apply the rule to.

This option is available in Reverse on the dialog for the Source. source policy rule

Policy rules are available for Categories, and Consoles also.

Workflow Consoles

The workflow engine allows a very granular access to the different consoles.

Here is an example from the viewpont of a policy rule: workflow console access You can see the extensive list of available consoles. Policy rules here let you limit access to specific areas like Handlers or Errors.