Automated User Interface Access Control

Traditionally, when developing a product, there are two types of access control: Role-Based Access Control and Tier/Level/Version Based Access Control (from now on called Level-Based Access Control).  A product may use either or both types of access controls.

In Role-Based Access Control, there are several different organizational roles that a user may have (for example, administrator, guest, analyst, etc.).  Each role provides a user with a different subset of pages, data, features, actions, and so on of the product.

In Level-Based Access Control, a product has many different levels that a client may purchase (for example, Starter, Small Team, Mid Team, Enterprise, and so on, or in another example, Low, Medium, Premium, and so on).  Each level provides a different subset of pages, data, features, actions on the product.

To implement access control, UI engineers traditionally go manually through every page of a product and its UI elements (e.g., buttons, form fields, menus, menu items, visualizations, etc.) to hand-code a check to determine whether or not to render said content to the end-user according to the role of the end-user. Unfortunately, this manual process is highly error-prone. Not only are individual elements occasionally not checked due to human error (e.g., overlooking some button or not searching some part of the codebase), but if the checks are not coded correctly, or placed at the wrong “level,” features, controls, and access could be granted to the wrong users/clients. Moreover, even when done correctly, the manual process is a time-consuming task that needs to be repeated every time a new component or page is added, and any page/component is changed or modified. In short, this is time-consuming and error-prone since it adds new logic in many places within the code.

UI Element Incorporation

Kleeen’s Automated User Interface Access Control will automatically wrap the components needed at the right level to ensure proper UI control.

Access Control Manifest

Kleeen’s Automated User Interface Access Control checks against the manifest file found at `apps/cloud/src/app/settings/role-access-keys.custom.json`. This file is used to override the default policies generated by Kleeen, for example on the image below we can see what’s needed in order to hide the “Nodes” page for “Guest-role” users:

Currently, the  manifest file allows control to the following UI components

• Workflows.

• On nav and on crossLinking and if you access the URL directly.

•  Views (goal experiences like one gain understanding or enumerate).

• Know bug (the first view can't be hidden, the workaround is to reorder the views on authoring).

• Widgets.

Working with the Access Control Manifest

The role-access-keys files:

 Main File (apps/cloud/src/app/settings/role-access-keys.json)

We assign an access key to each element on the UI and generate a file containing them. The idea of this file is to give reference to all the access keys available.

{
// This represents the nav part of each workflow of the app you can hide or show for a specific role.

  "NAVIGATION": { 

    "CHILDREN": {

      "ACCESSMANAGER": {

        "PERMISSIONS": {

          "ADMIN": "SHOW",

          "GUEST": "SHOW"

        }

      },

      "COMPANY&PRODUCT": {

        "PERMISSIONS": {

          "ADMIN": "SHOW",

          "GUEST": "SHOW"

        }

      },

      "THEMEMANAGER": {

        "PERMISSIONS": {

          "ADMIN": "SHOW",

          "GUEST": "SHOW"

        }

      }

    }

  },

  "COMPANY&PRODUCT": {

    "CHILDREN": {

      "WIDGETS": {  // This represents the widget for each workflow

        "CHILDREN": {

          "3947A7FD-7BF2-4213-AEFF-B07DF5AC07B1": { // this is the id of the widget

            "PERMISSIONS": {

              "ADMIN": "SHOW",

              "GUEST": "SHOW"

            }

          },

          "5DFA8CEA-B3F4-44A5-BCDB-28AC8AC34F50": {

            "PERMISSIONS": {

              "ADMIN": "SHOW",

              "GUEST": "SHOW"

            }

          }

        }

      }

    }

  },

  "ACCESSROLEDETAILS": { // this is a workflow with multiple views

    "CHILDREN": {

      "WIDGETS": {

        "CHILDREN": {

          "F1611D80-03A5-48CB-8131-1CCCE9966603": {

            "PERMISSIONS": {

              "ADMIN": "SHOW",

              "GUEST": "SHOW"

            }

          }

        }

      },

      "VIEWS": { // this is the case when you have views

        "CHILDREN": {

          "KLEEENUIROLELIST": {

            "PERMISSIONS": {

              "ADMIN": "SHOW",

              "GUEST": "SHOW"

            }

          },

          "DASHBOARD": {

            "PERMISSIONS": {

              "ADMIN": "SHOW",

              "GUEST": "SHOW"

            }

          }

        }

      }

    }

  }

}

Custom Access File (apps/cloud/src/app/settings/role-access-keys.custom.json)

The idea here is that you paste all the generated files in there and start updating with your own config by role. In the end, the generated is just an example and this is the file in use. E.g.,