Security, as it relates to software, can be defined as the protection of information or functionality from access by individuals who have not explicitly been granted access. Below are some security-related terms that will be used throughout the remainder of this document.
Authentication is the process of confirming that the user requesting access is the user that they claim to be. This is often done by presenting a user identifier (e.g. a username) paired with a secret known only to that user (e.g. a password), but can sometimes involve certificates or other means of establishing identity. In this documentation, authentication is synonymous with login.
Authorization is the process of deciding if the user (who has been authenticated) is allowed to access the information or functionality for which he or she is making the request. A software system can protect itself at multiple levels. In the Pentaho BI Platform, pages in the web-based user interface can be protected. In addition, objects within the solution repository, such as folders and action sequences, can be protected using access control lists.
Web Resource (URL) Authorization
In a web-based application, developers can protect specific URLs which uniquely identify web pages. Protecting URLs is done by specifying what user or role is required to view a page. Note that read is the only permission applicable to web resources. Even though accessing a page might delete records in a backend datastore, a developer can only specify that a page is viewable or not.
Domain Object Authorization
An application developer can protect particular instances of objects. A typical example with which most users are familiar is a filesystem. Each file or directory in a filesystem has an access control list (ACL) associated with it. In the case of a filesystem, one can specify that user
read the file named
readme.txt. In this example, the object is the file
readme.txt; the recipient is
suzy; and the permission is
Access Control List
An access control list (ACL) is associated with an object and contains entries that specify who (i.e. the recipient) can do what (i.e. the permission) with the associated object.
Authority, Role, & Group
In the Pentaho BI Platform, the terms authority, role, and group are synonymous. They are used during authorization to decide whether to grant or deny access. An example of a role is