Capabilities represent HsM features whose availability to the end user can be restricted. With capability grants it can be defined which features are actually available to users of the system. HsM defines two different types of capabilities:
•System-capabilities: These capabilities can only be granted to the HsM instance as a whole.
•Customer-user-capabilities: These capabilities can be granted to the HsM instance, to customers and to users and are always checked in a customer-user context.
Note: In HsM, capabilities and authorization are two independent concepts. I.e. specific actions or features in HsM can be independently protected by permissions and/or capabilities. |
When granting capabilities, it is defined if the feature that this capability represents will be available to the end user or not. E.g. a specific analysis method for device data could be bound to a capability, so that only if that capability is granted, this analysis method can actually be used.
When granting a capability, an availability level is specified, this level is used to support graphical user interfaces with the decision how to present features bound to a not-granted capability.HsM defines three availability levels to support graphical user interfaces with the decision how to present features bound to a not-granted capability. See 21 for a description of the availability levels.
Availability level |
Feature available |
Notes |
|---|---|---|
Available |
Yes |
The feature represented by the capability is available without restriction. |
Disabled |
No |
The feature represented by the capability is not available. User interfaces are advised to present the feature in a disabled way. |
Hidden |
No |
The feature represented by the capability is not available. User interfaces are advised to hide the feature. |
Table 21: Availability levels used in availability capability grants
For calculation of effective customer-user capabilities availability levels are defined as comparable: available > disabled > hidden , e.g: max ({available, disabled, hidden}) = available; min({available, disabled}) = disabled .
