Skip to the content

How to Create Secure Access Using MAC Policy in ARAS Innovator

 

This is a quick tutorial on how to create a MAC Policy inside ARAS Innovator.

If you prefer to watch the video tutorial, you can find it here: https://youtu.be/s1iP9gnx9Fc

 

Mandatory Access Control principles

  • First, a MAC Policy is a feature that by default is not activated on any ItemType, it's available to introduce specific business requirements around Security.
  • When active, MAC policies are MANDATORY LAYER that cannot be skipped or bypassed.*The rule can include some specified Exempted User and/or Group of User
  • MAC policy basically compare properties from the logged in User and an Item

Businesses that can be supported by MAC Policy

 

Data Model changes required

As MAC Policy is comparing properties between a User and an Item, we need to add to both ItemTypes the properties that will be compared.


We will use as an example the Secrecy Level on Documents.

The end result that we need to prove is that a User with a Secrecy Level lower than the one set on the Document cannot access the Document.

New property on User

Add a new Property:

  • Name = sec_level
  • Label = Secrecy Level
  • Data type = Integer

New property on Document

Add a new Property:

  • Name = sec_level
  • Label = Secrecy Level
  • Data type = Integer

Allow custom property to be used on MAC Policy

We need to modify the ItemType: mp_PolicyAccessItem by adding the EXACT same property as the one just added on the ItemType: Document.


Add a new Property:

  • Name = sec_level
  • Label = Secrecy Level
  • Data type = Integer

 

Create a MAC Policy

As an Administrators, go into the TOC -> Administration -> Access Control

And then click "MAC Policies" / Create new

  • 1. Enter a Name (can have some space), and a Description if needed
  • 2. Into the TAB "Applied To", add the ItemTypes you want to activate this MAC Policy (in our case, Document)
  • 3. Into TAB "Exempt Identities" we can add Identities (User / Group of Users) that would skip this rule
  • 4. Save

 

Then we go into the Policy Rule Editor

  • 1. Click into the bar on the "New Condition" icon (first from the left)
  • 2. Set a Name on the bottom right
  • 3. Create the Rule by directly starting to type on the bottom left
    • CurrentUser.[Secrecy Level] >= CurrentItem.[Secrecy Level]
  • 4. Save the MAC Policy

Then you need to set Rule policy

  • 1. Go Back into the main Form
  • 2. Into the section "Policy Rules" set your rule on all "Accesses"
  • 3. Save the MAC Policy

Activate a MAC Policy

Once you have saved your MAC Policy and its rules

  • 1. Go into the Action menu
  • 2. Click on "Activate"
  • 3. A message will tell you when the MAC Policy is active

Modify a MAC Policy

If you need to modify an Active MAC Policy

  1. Into the Action Menu, first click on Deactivate
  2. Then in the same menu, click on "New Version"
  3. Then you can modify your MAC Policy as you wish
  4. Save your changes
  5. And finally, into the same menu, click on "Activate"

 

Daily Usage

Once you have everything setup, you need modify your Forms (User + Document) to set the values.

And when a User will need to create a Document or modify one, the Secrecy Level will appear.

Here you can add any Business logic on the Client / Server side in order to avoid people creating documents on a Level that is above their own, or any other business logic.

The result will be, any Document created with a Secrecy Level superior to the User's one, won't be accessible by the user.

 

 

How to test

Log as an Administrator (i.e. admin)

  • Create multiple users with different Secrecy Level
  • Create 2 documents with the following Secrecy Level values.
 

Document Secrecy Level

 

200

600

User 100

BLOCKED

BLOCKED

User 500

Accessible

BLOCKED

Admin

Accessible

Accessible


Once those 2 Users and 2 Documents are created you can test that as follow:

  • Connect as User100
    • When running a Search for Document, nothing appears
  • Connect as User500
    • When running a Search for Document, only the 200 documents should appear
  • Connect as an Administrator (.i.e. admin)
    • When running a Search for Document, both documents should appear

 

 

For more generic ARAS Security Information, read this article.

About the author

Damien Destrez

With a passion for PLM solution architecture and by finding the right solution to business-related issues, Damien Destrez has been working as a PLM solution architect for more than 10 years. Always focused on customer needs, Damien blogs about technical solutions and how to optimize your PLM software to fit your environment.

comments powered by Disqus