i4connected Knowledgebase 5.6

i4connected Security

Abstract

Check out this article and learn everything that you need to know about the i4connected Security system introduced with the new 5.6 version.

The i4connected 5.6 security model allows a fine-grained control over user permissions, eliminating any hard-coded security rules.

The current security system is divided between several concepts, which act together as a whole:

  • Roles - The current roles system contains two types of roles, both having as scope to define which operations are supported by the system:

    • The Built-in roles have a system-wide meaning, being enforced at level of the web-application, on basis of a fixed set of rights governing all the aspects of the i4connected application.

    • The Custom roles are based on a set of extended permissions, allowing the integration of custom functionality in the security environment. Extended permissions require database and code changes and cannot be done through the administration user interface.

    Warning

    The main limitation of the current role system is that the roles are applied globally, and the user does not have a more granular way to control access. Currently there is no possibility to have multiple types of administrator accounts with scoped permissions.

  • Hierarchical permissions - The current system enforces another set of permissions which are applied over the two existing hierarchies:

    • Organizational Units

    • Sites and areas

    Once a user is assigned to such an hierarchical node all the calculations to the above and below nodes will be available. This way the user will have access to the devices assigned to that node and implicitly to any analytics dashboards and drill-down views in the system.

    Warning

    The hierarchical system has several limitations, starting with the fact that it is based on conventions so this behaviour might not be desired by all WEBfactory users, as well as the fact that it does not allow more granular control down to the signal level.

    Another big downside of this permission system is that any database query which retrieves hierarchical items or devices must evaluate the permission against the entire hierarchy which is both very complex and very resource intensive.

    The hierarchical permission system can offer a certain level of control in analytics scenarios, but it fails when it comes to SCADA scenarios, where a more granular level is needed.

  • Tenant scoping - Both the Roles and Hierarchical permissions security concepts are also cross-connected to the concept of tenants and their relations with some hierarchical entities (such as sites).

    Since the 5.6 version of i4connected, WEBfactory introduced the possibility to manage tenants independently. Hence, each tenant will get a database that will hold the tenant data structure. This complete data isolation between tenants allows an easier disaster recovery, faster processing due to the lower data amounts and an increased server performance.