Sahana's New Access Control System


At the time of writing, the access control system used in Sahana is being reworked. It previously used the PHP GACL library, which was a more complicated and use-case specific security framework. Now, however, Sahana's security system simply controls access to database data based on the data's classification level, a user's role, and whether or not that role is designated to create, view, update, or delete that classified information. Some details on this new system are available here: Sahana Data Security and Privacy Design.

Developer Details

Sahana's new access control system mainly consists of the following database tables (this data classification access information can be tailored to a specific deployment of Sahana via the 'Admin' module by clicking on 'Security Config'):

sys_data_classifications - A table to store all possible ways to classify data:

level_id level
1 Person Sensitive
2 Organization Sensitive
3 Legally Sensitive
4 National Security Sensitive
5 Socially Sensitive
6 System Sensitive
7 Not Sensitive
8 Unclassified

sys_user_groups - A table to store all possible groups a user may belong to:

group group_name
1 Administrator (Admin)
2 Main Operations Coordinator (MainOps)
3 Head Organization Contact (OrgHead)
4 Trusted User (Trusted)
5 Registered User
6 Anonymous User

sys_user_to_group - A table to link a registered Sahana user from the users table to a group above:

group_id p_uuid
1 489sp-21
1 489sp-22
2 489sp-15
5 489sp-12
... ...

sys_group_to_data_classification - A table to specify what permissions a group has for each level of data classification. 'crud' stands for 'Create', 'Read', 'Update', and 'Delete'. So, for example, looking at the second row below, group 1 (Administrators) only have read access (-r--) to level 2 ('Organization sensitive') information:

group_id level_id crud
1 1 ----
1 2 -r--
1 3 -r--
1 4 ----
1 5 -r--
1 6 crud
1 7 crud
1 8 crud
2 1 crud
2 2 crud
2 3 crud
... ... ...

sys_tablefields_to_data_classification - A table to classify each table in the database with a certain data classification level. So, the entry:

table_field level_id
vm_vol_details 1

classifies the vm_vol_details table as 'Person Sensitive' information.

Programming Interface

Currently, to check whether or not the current logged-in user has access to specific database tables, we must include the inc/lib_security/ file and call the shn_acl_check_table_only_perms($tables) function, whose only parameter is an array where each key is a table name and each value is the type of permission to request (in the 'crud' order). So, if we wanted to check if the current logged-in user is able to view and update information from the vm_vol_details and vm_vol_skills tables, we would call shn_acl_check_table_only_perms(), passing it an array that looked like this:

    'vm_vol_details'    => 'ru',
    'vm_vol_skills',    => 'ru'

The function returns the Sahana-defined constants ALLOWED if permission is granted or DENIED if not.