6.2. Security Subsystem Components

The main CUBA security subsystem components are shown in the diagram below.

Security
Figure 52. Security Subsystem Components Diagram

Below is an overview of these components.

Security management screens – screens available to system administrator for configuring user access rights.

Login screen − system login window. This window provides user authentication by username and password. The database stores password hashes for security.

The UserSession object is created upon login. This is the central security element associated with the currently authenticated user and containing information on data access rights.

The user login process is described in Login.

Roles − user roles. A role is a system object, which, on the one hand, matches the permission set required to perform specific functions, and on the other hand, the subset of users who must have these permissions.

The permissions can have the following types:

  • Screen Permissions − an ability to open a screen.

  • Entity Operation Permissions − an ability to perform operations with an entity: read, create, update, delete.

  • Entity Attribute Permissions − access to an arbitrary entity attribute: modify, read only, access denied. See also Entity Attribute Access Control.

  • Specific Permissions − permissions for some named functionality.

  • UI Permissions − control access to screen elements.

Access Groups − user access groups. The groups have a hierarchical structure, with each element defining a set of constraints, allowing controlling access to individual entity instances (at table row level). For example, users can view the documents that have been created in their department only.