Architecting a security model for an IT Operations portal like FireScope is perhaps among the most difficult tasks we’ve faced thus far. Finding the right balance between flexibility for clients with unique environments and still providing robust security resulted in endless hours of ‘debate’ in our Dallas office, home office for our engineering and development teams. Among the requirements we set out to achieve were:
· Never force the client to change their processes or organizational structure.
· The model must be able to handle control over who has access to features, as well as the managed assets themselves.
· Account information and group memberships to be stored in an LDAP-server for easy integration with active directory or other directory services to enable simplified administration.
· The performance of FireScope itself must never be adversely impacted by security checks.
· Access to assets must be implicitly denied for all users until they’ve been explicitly granted access.
· Access to configuration settings such as user management, service group membership etc. must be segregated from the core application itself.
In the end, we managed to achieve all of these requirements through several techniques. First off, all configuration settings were moved out of the main portal and into a separate website for improved security with independent logging of user activity. Next, we implemented a mixture of role- and group-based security settings for each user. Access to assets is controlled by group membership of both the assets and the users, with the granularity of access (view, edit, administer, etc.) controlled by the role of the user.
Fortunately, FireScope has a passionate user base, which has given us valuable feedback that has resulted in subtle tweaks and adjustments to our security model. And since FireScope clients run the breadth of organizational sizes, small to incredibly large, and most vertical markets, these adjustments have made it possible for us to confidently say that our security model has the flexibility to fit with any IT organization.