Access Control Flowcharts

Introduction

Included below are some logical flow charts that visually display the rules that were described in previous sections. The terminal actions that are shown as permitted assume that no other permissions are held by the user other than the ones that have been accumulated by following a specific path in the flow, and given those permissions, no other actions will be permitted other than the ones listed. If multiple permissions are sought, a user would traverse multiple paths in the flow(s) and accumulate additive permissions.

Users

Can View Partial User Information

Can view only the following attributes of a user:

  • ID
  • First name
  • Last name
  • Email address

digraph {
  layout="dot";
  Start -> Allowed;

  Allowed [shape=box; style=rounded];
}

Can View Full User Information

Can view the following attributes of a user:

  • ID
  • First name
  • Last name
  • Email address
  • Group memebership
  • Access tokens
  • Enabled/Disabled state
  • Creation date

digraph {
  layout="dot";
  Start -> IsMyself;
  IsMyself -> Allowed[label="yes"];
  IsMyself -> DoesHaveSystemPermission[label="no"];
  DoesHaveSystemPermission -> Allowed[label="yes"];
  DoesHaveSystemPermission -> NotAllowed[label="no"];

  Start [shape=box; style=rounded];
  IsMyself [shape=diamond; label=<
    Am I viewing my own<BR/>
    User information?
  >];
  DoesHaveSystemPermission [shape=diamond; label=<
    Does the current user<BR/>
    have the system permission<BR/>
    "Manage Users and Groups"?
  >];
  Allowed [shape=box; style=rounded];
  NotAllowed [shape=box; style=rounded; label="Not Allowed"];
}

Groups

Can View Partial Group Information

Can view all of a group’s attributes except for user group membership.

digraph {
  layout="dot";
  Start -> Allowed;

  Allowed [shape=box; style=rounded];
}

Can View Full Group Information

Can view all of a group’s attributes.

digraph {
  layout="dot";
  Start -> DoesHaveSystemPermission;
  DoesHaveSystemPermission -> Allowed[label="yes"];
  DoesHaveSystemPermission -> NotAllowed[label="no"];

  Start [shape=box; style=rounded];
  DoesHaveSystemPermission [shape=diamond; label=<
    Does the current user<BR/>
    have the system permission<BR/>
    "Manage Users and Groups"?
  >];
  Allowed [shape=box; style=rounded];
  NotAllowed [shape=box; style=rounded; label="Not Allowed"];
}