The authorization concept used in the Client Service defines three security components that are used to regulate who has access to data and operations within the system.
•Security principal: An identity that is authorized to access/modify data or perform operations on securables. In HsM security principals are users.
•Securables: The resource within HsM for which access is regulated. In HsM securables are the system as a whole and customers.
•Permissions: The types of access that security principals can have on securables.
In general the Client Service assigns permissions to specific security principals for specific securables. However the Client Service does not assign permissions directly to security principals but only via roles. Permissions are predefined by the Client Service and cannot be modified.
HsM uses an additive permission model. I.e. all permissions grant some kind of access to securables, they never revoke or deny access. Security principals that were not assigned any permission on securables cannot access or modify any data in HsM and cannot perform any operations within the system.
Scope of applicability
The authorization concept is implemented on all APIs and data interfaces of the Client Service with following exceptions
•Common API: Endpoints on this API do not need any authorization, as the endpoints are not exposing any customer or user data.
•Synchronization API: Once authenticated all endpoints of this API can be used without limitation. The synchronization API assumes that only trusted services will be able to authenticate.
•Resource data forwarding: The connection strings created with resource data forwarding rules give access to all the data delivered via the Azure Service Bus and the SignalR Hub for that rule. No further authorization is performed.
•Resource data event publication: The connection strings created with resource data event publication rules give access to all the data delivered via the Azure Service Bus and the SignalR Hub for that rule. No further authorization is performed.
