A Privilege refers to any operation that can be performed upon data. Creating Privileges allows you to configure the granularity of the operations that can be performed on your data. Assigning Privileges to users helps control access to important components (protection elements) of an application. (excerpt from the caCORE CSM v4.2 Programmer's Guide)
A privilege represents some action that can be performed on some protected entity. For example, read, write and delete are all examples of privileges. A user who has read access to an entity has the ability to view data related to the entity. If a user lacks the delete privilege for an entity, she will not have the ability to delete data related to the entity.
As an example, consider the following table taken from the caCORE CSM v4.2 Programmer's Guide showing the list of CSM Standard Privileges.
|Privilege Name||Privilege Definition||Applying the Privilege (Example)|
|CREATE||This privilege grants permission to a user to create an entity. This entity can be an object, a database entry, or a resource such as a network connection.||A user can create a database entry.|
|ACCESS||This privilege allows a user to access a particular resource. Examples of resources include a network connection, database connection, socket, module of the application, or even the application itself.||A user can gain access to a particular module in an application.|
|READ||This privilege permits the user to read data from a file, URL, socket, database, or an object. This can be used at an entity level signifying that the user is allowed to read data about a particular entry (which can be object or database row, etc.)||A user can view personal information such as a Social Security Number.|
|WRITE||This privilege allows a user to write data to a file, URL, socket, database, or object. This can also be used at an entity level signifying that the user is allowed to write data about a particular entity (which may include an object, database row, etc.)||A user can add text to a database entry.|
|UPDATE||This privilege grants permission at an entity level and signifies that the user is allowed to update and modify data for a particular entity. Entities may include an object, an attribute of the object, a database row, etc.||A user can modify an object's attribute data|
|DELETE||This privilege permits a user to delete a logical entity. This entity can be an object, a database entry, a resource such as a network connection, etc.||A user can delete record.|
|EXECUTE||This privilege allows a user to execute a particular resource. The resource can be a method, function, behavior of the application, URL, button etc.||A user can click on a button to perform a method.|
Privileges are not application specific. That is, the same set of permission names created in the Manage Privileges interface is used across all CSM applications. However, it is up to each application to assign a meaning to a privilege. For example, one application may interpret a privilege named EXECUTE to mean being able to run a script. Another application may interpret EXECUTE to mean begin able to kill something. A third application may assign no meaning to EXECUTE.
After creating an new permission, you may associate it with roles from any CSM application that can be accessed using the Application Access Control interface. Similarly, removing a privilege will remove it from all roles associated with it across all CSM applications.
In order to manage CSM applications and resources, you must be logged into a grid account that is configured to be a CSM administrator. During the installation process, it was recommended that at least one grid identity be added as a CSM administrator. If your account was not configured to be a CSM administrator, review step 7 of the Installation Guide.
If you have added your grid account as a CSM administrator but you are experiencing an error similar to the one pictured to the right, make sure that you specified the correct grid account in the Credential select box of the Manage Privileges interface.
You can search for existing privileges using the Search form fields of the Manage Access Control interface. Select a service from the Service select box and choose your grid credential from the Credential select box. Note that the default value for the Credential select box is "Globus Default Proxy." Select a grid identity that has been configured as a CSM administrator. Click the Search button to show a list of all privileges associated with the Service you specified.
Notice that the only privilege listed in the example screenshot is ADMIN. This privilege is added to the CSM web service by default during installation.
To create a new privilege, click the Add button on the Manage Privileges interface to launch the Create Privilege interface. Enter a name for the privilege in the Privilege Name field and optionally enter a brief description in the Description field. You must enter a unique value for the privilege name. Attempting to enter a privilege name that already exists will throw the following error:
Once you have entered a privilege name and description, click the Create button. The new privilege will be created and the Privileges search results box on the Manage Privileges interface will refresh, displaying your newly added privilege.
To modify an existing privilege, first perform a search whose results include the privilege you would like to update. Click on the name of the privilege to highlight it and click the View button to launch the Modify Privilege interface. Alternatively, you may double click on the name of the privilege to launch the modify interface.
You may update the name of the privilege and the description using the Privilege Name and Description fields. The Privilege Id and Last Updated fields are read only. Take care not to change the privilege name to the name of a privilege that already exists, or an error message similar to the one shown in the Creating a new Privilege section will be thrown. When you have finished making changes, click the Modify button to update the privilege. The Manage Privileges interface will refresh and display your updated privilege name.
To remove a privilege, click on the privilege name to highlight it and click the Remove button. This will immediately disassociate it from all Roles from all applications it is associated with and will remove it from the system. Note that it is possible to remove a privilege even if it is associated with a Role, so use caution.
|Use caution with this feature! Clicking Remove does not prompt for confirmation and cannot be undone.|
Learn how to associate privileges with roles using the Managing Roles guide.