Table of Contents

What Is UMRS?

It is a common need of applications to control access to resources available through the application, as not all users will have the same access rights on all resources. These "resources" could be anything in the business domain such as documents, folders, or network access. When the permission requirements of an application are simple and granular, it maybe possible to accomplish the business requirements through permissions exposed through a claims token. However, JWT tokens are restricted in their size and it is not feasible to maintain fine-grained permissions through claims tokens. Application developers could attempt to create their own set of tables to keep track of user permissions, but doing so is more complex than it might first appear to be, and it is outside the core business domain.

User Managed Resource Sharing is a technology developed as part of the Labshare Auth System. This system consists of a set of APIs that aids client applications which are integrated with Auth to manage access to any resources maintained by the client application.

Why Would I Use UMRS?

What can the UMRS API do for me?

  • Manage resource user grants - add or remove a role for a user on a resource
  • Manage resource group grants - add or remove a role for a group of users on a resource
  • Retrieve all users that have a role on a resource
  • Retrieve all grants that a user has
  • Invite a user to have access to a resource via a customizable email
  • Allow a user to request access to a resource
  • Manage the approval workflow for requested resources

Definitions

User Grant: A triple of User, Umrs Role, and ResourceId along with an expiration date.

  • The user is a user in the tenant of the client.
  • The Umrs Role is created in Auth UI and is something that makes sense for the business logic such as ‘Document Editor’. (It is the responsibility of the client application to restrict access to a resource based on the user and the role that user has on a resource.)
  • The ResourceId is any resource identifier string associated with a controlled resource, such as a document or a network share.
  • expiresAt - the date and time at which the grant will expire.

Group Grant A triple of Group, Umrs Role, and ResourceId along with an expiration date.

  • When group grants are created, users get permission to a resource via membership in a group.
  • The group is a user group in the Auth System.

Requestable Access Template: A template used for inviting a user to have access to a resource, or for a user to request access for themself.

A requestable Access template has the following parts:

  • Name & Description
  • Role - the role that will be granted on the requested resource
  • Invitation Email Template - the (handlebars) email that will go to invited users
  • Approval Workflow - Rules about how requests for resources are handled
  • RedirectUri - a url with the resourceId as a variable that can be used in emails sent to users to link to the resource (ex. http://somesite.com/resource/{resourceId} )

Approval Workflow: The information needed to handle access requests. Different requests templates may share the same workflow or may define different workflows.

An Approval Workflow has the following parts:

  • Approval group - the group of users managing the resource who have permission to either invite someone to have access to a resource or to approve a request that a user made for themself
  • Approval email template - the handlebar base email template sent to a user when a request is approved
  • Rejection email template - the handlebar based email template sent to a user when a request is rejected
  • approveIn - the max number of days available for an approver to approve

The Invitation Process

  1. The inviter selects an invitation template which uses the UMRS role that he wants to grant to a user for a resource. (Note: the inviter must be an approver (ie. in the approval group) for the workflow of the template.)
  2. The inviter chooses a user to invite.
  3. The inviter specifies the resourceId and grant expiration date (or none if access will not expire).
  4. The inviter sends the invitation.
  5. The invitee receive invitation email describing what resource he is being invited to access.
  6. The invitee clicks the acceptence button in email. (The invitation will expire after a set amount time as describe by the template. If the invitation is expired the invitation will need to be reissued.) OR The user could accept and invitation via the Invitations dashboard in the Auth User Portal.
  7. Grant is created to give the invited user the role on the resource.

The (Self) Request Process

  1. The requesting user through the Auth User Portal, picks a request template.
  2. The requesting user specifies the resourceId being requested.
  3. The requesting user may add additional note for the approver.
  4. The requesting user sends the request.
  5. All members of the approval group will receive an email with the request for approval.
  6. Approvers can approve requests through the Auth User Portal or via the Auth Admin UI.
  7. Once one or more approvers approve, the grant will be issued.
  8. The requesting user will receive email notifying them of the approval and will be able to see the approval from the Auth User Portal.
  9. If the request was rejected, a rejection notice will be sent to the requesting user.

Example UMRS Use Cases

Example Case A: Sharing Documents With Groups of Users

Blake creates daily documents that contain study data for an ongoing project. Blake wants to share access to these documents with the other members of their team. All members of the team will have the same access permissions for these documents, and Blake wants to ensure that any future members of the team also have the same access. Blake can use a Group Grant to give permissions to the documents. This can be done by creating a group and adding Blake’s team members to the group, and then giving that group permissions to view Blake’s documents. Blake can then give future team members access to the documents by adding the users to the group, and they can also remove former team members from the group to remove their access.

Example Case B: Sharing Access to Projects in an Application

Meredith’s application has folders for multiple projects that different teams use. Meredith wants to give users access to individual folders based on what projects the user is involved in. Meredith can utilize Group Grants in the Auth System by creating a group for each project, granting permissions to the folders that each project uses, and then adding people to the groups created for each project. By doing this, Meredith can easily manage who does and doesn’t have access to each project’s folders by adding and removing users from groups. Alternatively, Meredith can also create groups for each folder and add users to the folder’s group for more fine-tuned access.

Example Case C: Users Requesting Access to Resources

Jordan’s application has a wide selection of research studies that people can read. Jordan wants to limit access to these documents by asking users to request access to the documents before they can read them. The Auth System can be utilized by having users request resources by their resourceID through the Auth User Portal, which would send the request to view the resource to Jordan. Jordan can then use the Auth User Portal or the Auth Admin UI to approve or reject the user’s request. If approved, the user will then be able to access the resource they requested.

Example Case D: Inviting Users to View a Document

Maxwell has study data from his current research project in a document. He wants to share this document with people on his team, as well as with a few other designated people within his department who would only have short-term access to the document. First, Maxwell can use a Group Grant to give access to the document to his team by adding his team members to a group and then granting the group access to the document. Second, Maxwell can send individual invitations to the people outside of his team that he wants to give access to. He can do this by using an invitation template, specifying the user to send the invitation to, specifying the resourceId of the document, and choosing an expiration date for the grant. The user he sent the invitation to will receive an email invitation and can accept access to Maxwell’s document from the email.

Example Case E: Viewing Users with Permission to View a Document

Katherine has been sharing documents with various people in her department through her web application. She wants to keep track of who has access to the documents and would like to display this information for herself on her application. The Auth API allows Katherine to make an API call to view a list of all users who have grants for a specific resource, and she can implement this API call in her application. She can make it so that the person making the API call to view the list must be an approver before the call can be made from the application so that grant information is not available to all users.