Joseph Doherty
b104760b3a
Standardize role string VALUES on the canonical vocabulary
(Administrator/Designer/Deployer/Viewer; Operator/Engineer unused here):
Admin -> Administrator
Design -> Designer
Deployment -> Deployer
Audit -> Administrator (COLLAPSE; accepted privilege escalation)
AuditReadOnly-> Viewer (COLLAPSE; keeps audit-read, no export)
SoD: OperationalAuditRoles = { Administrator, Viewer },
AuditExportRoles = { Administrator }
so Viewer reads the audit log + nav but cannot bulk-export, while
Administrator does both + holds the full admin surface (the documented,
accepted auditor/admin SoD collapse).
Atomic move across every enforcement site:
- Roles constants; AuthorizationPolicies (RequireClaim values + SoD arrays +
honest XML-doc); RoleMapper Deployer check.
- ManagementActor.GetRequiredRole switch + the hard-coded site-scope
admin-bypass (now Roles.Administrator at all 6 sites). Site-scoping logic
is otherwise unchanged.
- DebugStreamHub Administrator/Deployer gates (Deployer kept case-sensitive).
- CentralUI BrowseService/BindingTester Designer guards; LdapMappingForm
dropdown now offers canonical values (incl. Viewer).
- Config-DB seed (LdapGroupMappings Id 1-4) + EF migration CanonicalizeRoles:
Id-keyed UpdateData for seed rows + idempotent raw catch-all UPDATEs for
operator-added rows. Down is lossy on the collapse (documented in-file).
No pending model changes.
Tests reworked to the collapsed model across Security/CentralUI/
ManagementService/ConfigurationDatabase/Integration suites, incl. explicit
Viewer-reads-not-exports and former-Audit-now-Administrator-escalation cases.
CHANGELOG: BREAKING security note documenting the canonicalization + SoD
collapse.
42 lines
2.0 KiB
C#
42 lines
2.0 KiB
C#
namespace ZB.MOM.WW.ScadaBridge.Security;
|
|
|
|
/// <summary>
|
|
/// Single source of truth for role-name string literals used across the
|
|
/// Security module and downstream authorization checks.
|
|
/// </summary>
|
|
/// <remarks>
|
|
/// <para>
|
|
/// Role names appear in three independent contexts: <see cref="RoleMapper"/>
|
|
/// (LDAP-group → role resolution), <see cref="AuthorizationPolicies"/>
|
|
/// (policy <c>RequireClaim</c> values + the audit role arrays), and at LDAP
|
|
/// mapping rows configured by an operator. Holding the literals here means a
|
|
/// rename either succeeds everywhere or fails to compile, eliminating the
|
|
/// "string drift" class that Security-018 documented.
|
|
/// </para>
|
|
/// <para>
|
|
/// Task 1.7 canonicalization (auth normalization): role VALUES were
|
|
/// standardized onto the canonical six (<c>Viewer/Operator/Engineer/Designer/
|
|
/// Deployer/Administrator</c>; only four are used by ScadaBridge). The legacy
|
|
/// ScadaBridge role names were renamed/collapsed as follows:
|
|
/// <list type="bullet">
|
|
/// <item><description><c>Admin</c> → <c>Administrator</c></description></item>
|
|
/// <item><description><c>Design</c> → <c>Designer</c></description></item>
|
|
/// <item><description><c>Deployment</c> → <c>Deployer</c></description></item>
|
|
/// <item><description><c>Audit</c> → <c>Administrator</c> (COLLAPSE — accepted
|
|
/// separation-of-duties loss; a former audit-only user gains the full admin
|
|
/// surface)</description></item>
|
|
/// <item><description><c>AuditReadOnly</c> → <c>Viewer</c> (COLLAPSE — keeps
|
|
/// audit-read + nav, loses bulk export, which it never had)</description></item>
|
|
/// </list>
|
|
/// <c>Operator</c> and <c>Engineer</c> exist in the canonical vocabulary but are
|
|
/// unused by ScadaBridge, so they are intentionally not declared here.
|
|
/// </para>
|
|
/// </remarks>
|
|
public static class Roles
|
|
{
|
|
public const string Administrator = "Administrator";
|
|
public const string Designer = "Designer";
|
|
public const string Deployer = "Deployer";
|
|
public const string Viewer = "Viewer";
|
|
}
|