User Admin Service

Description of the mechanisms provided by the User Admin Bundle.

Overview

Conventionally, user administration encloses two mechanisms – authentication and authorization.

• Authentication is verifying the validity of the name and a credential of the requester that demands access to a resource of a bundle. Verification is realized by comparing the name and the credential to the ones stored in the user database. The Simple Login Service performs authentication.
• Authorization is checking if such a requester has the permission to perform an operation inside the Service Gateway. The User Admin Service performs authorization.

After successful authentication, the user is authorized to play certain roles within the system of the Service Gateway. Roles are two types:

• user
• group

The members of a group own a common role usually associated by the name of the group. Groups facilitate the authorization process. To provide access to its resources, a bundle can check if a user participates in a group that represents a certain role instead in a long list of authorized users. A user being a kind of role always implies itself.

A bundle manages a specific database. It permits only administrators to the database components. The database administrative role is provided to a group called "dbAdmins" (the group name is user-defined). When a user requests to read a record in the database, the bundle checks if this user is member of "dbAdmins". If the user participates in this group, he could read the requested record. Otherwise, the bundle rejects access.

Every user that is registered in the User Admin Bundle owns a collection of properties and credentials. Public information about a user like a service preference is stored as a property. Private user information, such as a password, is treated as a credential.

The User Admin Bundle supports two types of members:

• basic
• required

The initiator of the resource request should imply one or more basic members and all required members of a group. A group may contain zero or more basic and/or required members. Usually, the required term is applied for groups. If there are no basic members, a user.anyone member should be added to it, and then all initiators that fulfill the requirement to imply all required members, will get access.

A user requests access to a resource and this access is granted only to the members of a particular group. If the group to examine contains only basic members, the user is authorized if at least one member implies it. Another case is if the group contains only required members, then the requester must participate in all of them. If both basic and required members present, the user must be registered in all required member groups and in at least one basic group.

Registering Bundle

The service is registered by OSGi User Admin Bundle.