|03.SECURITY.R1||RS3.2||The ResearchSpace system is an online environment accessed using web browser|
|03.SECURITY.R2||RS3.2||Authentication needs to initiate the authorisation of the components provided by the Content Management System, including the CMS social networking tools, document libraries and asset libraries, as well as authorisation to the RDF project store to which the project has access mainly through the research tools.|
|03.SECURITY.R3||RS3.2||All projects are authorised to use the shared CMS and RDF components and data stores.|
|03.SECURITY.R4||RS3.2||All authentication and authorisation should occur through single sign on. Users authenticate using a Content Management System login plug-in. This should be configured to use LDAP|
|03.SECURITY.R5||RS3.2|| The architecture will be as follows;
- The user logs on once using the CMS logon mechanism.
- The logon is directed to the LDAP authentication system.
- The authentication returns a user ticket indicating the groups that the user belongs to.
- The user requests services from the CMS which are authorised by the LDAP service
- The user requests services from the RDF Store which are authorised by the LDAP service
- CMS Login Point – The physical login environment is provided by the CMS.
- CMS Project Environment – A successful user logon allows the user to progress to the project environment created within the CMS.
- Project Collaboration Tools – CMS uses LDAP to authorise internal security for the social networking tools.
- Project Document and Asset Libraries – CMS uses LDAP groups to provide authorisation to the shared and project document libraries.
- Shared Document and Asset Libraries – CMS uses LDAP groups to provide authorisation to the shared and project asset libraries.
- Project RDF Store – RDF management system uses LDAP to determine access to project stores.
- Shared RDF Store - RDF management system uses LDAP to determine access to the shared store.
|03.SECURITY.R7||RS3.2||Although a user may have access to one or more project stores and therefore one or more collaboration areas, the user must only be able to access one project at a time. If a user is a member of more than one project they will be asked to choose their context for their session.|
|03.SECURITY.R8||RS3.2||The login process should use SSL encryption (https) as should use an LDAP connection (LDAPS).|
|03.SECURITY.R9||RS3.2||Once users are authenticated they would use the inbuilt security system for reading, writing, etc. The environment would be setup to deploy these rights through CMS roles: ResearchSpace Administrator, Project Lead and Project Member. These are the default roles for ResearchSpace.|
|03.SECURITY.R10||RS3.2||RDF data will be maintained in named graphs. Each project will have its own named graph alongside a named graph for the shared RDF repository. It is anticipated that ResearchSpace will operate one endpoint service for all named graphs and this means that queries can be federated across 2 named graphs (an RDF dataset comprising of the project named graph and the shared named graph) through one service. The default named graph is the shared repository.|
|03.SECURITY.R11||RS3.2||ResearchSpace user account access should be role-based but needs to provide authentication and authorisation for different systems, the collaboration (CMS) environment and the RDF database environment.|
|03.SECURITY.R12||RS3.2||Passwords should be encrypted and use at least 8 characters containing lower and uppercase letters and include a number.|
|03.SECURITY.R13||RS3.2||If a user submits a password incorrectly three times in a row the user will be locked out and require a reset by the project administrator(s).|
The following rights are required (03.SECURITY.R11):
|Role||Project Forums||Project Stores|| ResearchSpace
|Administrator||Administrator||Administrator||Access to project forums and stores will be determined by acceptable user policies. Has access to ResearchSpace dashboard and tools.|
|Administrator||Administrator||Administrator||Support for ResearchSpace tools and data issues|
|Project Administrator )(Lead)||Administrator||Administrator||Write||The user is a full participant in the project and the data analysis and generation. The user has access to the Project Lead dashboard and associated functionality|
|Full Project Team Member||Write||Write||Write||The user is a full participant in the project and the data analysis and generation. The user has access to a personal dashboard.|
|Collaboration Team Member||Write||None||None||The user has no access to a data store and can only use the collaboration tools, but not the research tools.|
|Project Observer||Read||None||None||The user is a guest to the discussion forum and there is no data store for the project or the user has no access.|