Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved


Chapter 2 Security Clearances : Object-Level Clearance

Object-Level Clearance
Clearance Checks When Accessing Objects
Evaluating Accesses
Whenever you attempt to access an object, the Security Manager allows or disallows the access, subject to the following sequence of clearance checks:
1.
The security clearance level of the user ID you are using to access the object must be equal to or greater than the classification level of the object being accessed.
2.
These values are set either through the Security Manager facility or through default by TIBCO Object Service Broker security.
Supported Clearance Levels
From within the Security Manager, a security administrator assigns a clearance level when defining your user IDs to TIBCO Object Service Broker. This clearance level, which is hierarchically evaluated, is used for each TIBCO Object Service Broker session initiated by your user ID. Only three clearance levels are supported:
The normal user ID level of clearance. It is used for developers, end-users, and for most security administrators.
Classification Levels
When you create an object, the object is assigned the clearance level of your creating user ID. This is known as a mandatory classification level. If you are the owner of the object, you can change this classification level for the object. For more information about changing classification levels, refer to Task C: Modify the Classification Level.
If your user ID has a clearance level of 1, you cannot access an object with a classification level of 7. A user ID with a clearance level of 7 can modify an object with a classification level of 1 and the modified object maintains its classification level of 1.
Discretionary Access Permissions
After creating an object, you can assign permissions for particular types of access to the object. For example, you could assign other users READ access to the object but not INSERT or REPLACE access. These discretionary permissions, which are non-hierarchical, are then evaluated each time an access is made to the object.
You can grant a user ID permissions to an object by:
For more information about granting permissions to objects, refer to Chapter 6, Managing Permissions to Objects, and for more information about object sets, refer to Chapter 7, Managing Object Set Security.
Access Permissions to Object Sets
Access permissions are properties of individual objects. As part of defining the composition of an object set, you indicate the access permissions for each individual object in the object set. When you give a user ID or a security group access to an object set, you are allowing access to all objects in the set, based on the accesses specified for each object. Refer to Chapter 7, Managing Object Set Security for more detail about the use of object sets and security on object sets.
Summary of Checks When Accessing Objects
Sequence of Checks
The following sequence of checks takes place before your user ID can access an object:
1.
2.
3.
Clearance Level of the User ID
 
Ownership of the Object
 
Access Permissions
 
Explicitly specified in the permission list for the object
Not explicitly specified in the permission list for the object
In a current group that has access specified
The security group from which your user ID is operating.
Not explicitly specified in the permission list for the object
Not in a current group that has access specified
 

Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved