Managing access control

🌐 This document is available in both English and Ukrainian. Use the language toggle in the top right corner to switch between versions.

1. General description

Access control on the Platform plays a critical role in ensuring security and convenience. It allows restricting access to resources only to authorized users, minimizing the risk of confidential information leakage and unauthorized use. At the same time, it contributes to efficiency, as users have quick access to what they need without wasting time searching or waiting for permissions. This approach strikes a balance between protecting against potential threats and creating a user-friendly environment for interacting with the Platform.

2. Definition

Key terms and concepts related to access control include:

Authentication: The process of verifying a user’s identity, typically based on entering a login and password or using tokens and other methods.

Authorization: The process of defining and granting a user access rights to specific resources or functions based on their role or responsibilities.

Role: A set of permissions assigned to users to determine their level of access and functional capabilities. Roles group similar rights.

Permission: Specific right or authorization to perform a particular action or access specific resources. Permissions are associated with specific roles.

Session: A period of time during which a user remains in the system after logging in. Session management allows control over session duration and status.

Single Sign-On (SSO): A mechanism that allows users to log in to one service and automatically gain access to other services without the need for re-entering credentials.

3. Access control principles

Access control principles establish basic guidelines and approaches for implementing security and efficiency in access management on the registry Platform.

Principle of Least Privilege (PoLP): Users are granted only the rights necessary to perform their tasks. This reduces the risks of unauthorized use and the spread of access rights.

Need-to-Know Principle: Users are granted access only to information necessary for performing their duties. This helps prevent the disclosure of unnecessary information.

Flexibility: The access management system should be flexible to accommodate various user needs and changes in organizational processes.

Automation: The use of automated processes for access management helps reduce the possibility of errors and increases administrative efficiency.

4. Access control methods

The Platform for state registries builds its authorization model using the following access control methods:

Role-Based Access Control (RBAC): This method of data access control on the Platform is based on assigning individual roles to users and allocating permissions according to these roles. Using RBAC, registry administrators and developers define the level of access for each role and the procedure for assigning users the appropriate roles. This way, users only have access to data and business processes allowed for their roles.

Row-Level Security (RLS): RLS is a data access management method at the row level in the database. It allows administrators to restrict user access to specific rows in a table based on user attributes, such as hierarchical code or category. Row-Level Security works by implementing row-level security policies based on user attributes, ensuring that users only have access to the rows they are permitted to access.

5. Components of the access control system

Access management on the Platform for state registries is achieved through four key components:

User and role management service: Implemented using Keycloak software, this component manages users and their access, authentication and authorization settings, single sign-on (SSO) configurations, and integration with external Identity Providers on the Platform for state registries.

Internal OAuth Server: Implemented using OAuth Openshift software, this component provides authentication and authorization for specific administrative services of the Platform. It acts as an intermediary in the authentication process between services and the main User and role management service.

IIT Widget: User authentication with qualified electronic signatures (QES) is facilitated using a browser-based third-party IIT widget for operations requiring data encryption and signing, along with a service for working with QES that utilizes a separate cryptographic library from IIT on the Platform side to verify data integrity and immutability.

Integrated electronic Identification system ID.GOV.UA (ISEI)

An external identity provider in the User and User and role management service (Keycloak). Through the use of ISEI, the Platform’s cabinet allows users to undergo e-identification using electronic signatures (file-based, cloud-based, or other secure media) and MobileID or BankID NBU.

6. Creating and deleting users

User	Creation procedure	Deletion procedure
Root administrator	Automatic creation during Platform deployment	Not deletable
Platform administrator	Administrator is created by the Root administrator and administrators of the same level	Can be deleted by administrators at the same level
Registry administrator	Can be added during registry creation via the Control Plane console Can be added by another administrator via the Control Plane console Can be created via KeyCloak registry-develop/registry-admin/create-users/create-registry-admins.adoc	Can be deleted by administrators at the same level and Platform administrator
Citizen (service recipient)	Automatically created during self-registration (authentication on the Platform)	Not deletable
Officer (service provider)	Automatically created during self-registration Created by the registry administrator via KeyCloak Created during personnel import	Possible deletion via KeyCloak

User

Creation procedure

Deletion procedure

Root administrator

Automatic creation during Platform deployment

Not deletable

Platform administrator

Administrator is created by the Root administrator and administrators of the same level

Can be deleted by administrators at the same level

Registry administrator

Can be added during registry creation via the Control Plane console
Can be added by another administrator via the Control Plane console
Can be created via KeyCloak
registry-develop/registry-admin/create-users/create-registry-admins.adoc

Can be deleted by administrators at the same level and Platform administrator

Citizen (service recipient)

Automatically created during self-registration (authentication on the Platform)

Not deletable

Officer (service provider)

Automatically created during self-registration
Created by the registry administrator via KeyCloak
Created during personnel import

Possible deletion via KeyCloak

7. Authentication

7.1. Authentication methods

Actor	Authentication method	Authentication type
Citizen (service recipient)	Integrated Electronic Identification System ID.GOV.UA IT Widget	Electronic signatures on file, cloud, or other secure media using MobileID and BankID Electronic signatures on file or secure media Key protection password
Officer (service provider)	Integrated Electronic Identification System ID.GOV.UA IIT Widget	Electronic signatures on file, cloud, or other secure media using MobileID and BankID Electronic signatures on file or secure media Key protection password
Administrator	Openshift OAuth	Account data

Actor

Authentication method

Authentication type

Citizen (service recipient)

Integrated Electronic Identification System ID.GOV.UA
IT Widget

Electronic signatures on file, cloud, or other secure media using MobileID and BankID
Electronic signatures on file or secure media
Key protection password

Officer (service provider)

Integrated Electronic Identification System ID.GOV.UA
IIT Widget

Electronic signatures on file, cloud, or other secure media using MobileID and BankID
Electronic signatures on file or secure media
Key protection password

Administrator

Openshift OAuth

Account data

7.2. Authentication process description

Authentication on the Platform for state registries for Citizens (service recipients) and Officers (service providers) occurs through one of the selected methods: the Integrated Electronic Identification System ID.GOV.UA or the IIT Widget, which act as third-party identity providers in the user and role management subsystem, specifically in KeyCloak. The choice of authentication method is delegated to the registry administrator.

In contrast to the authentication method for the listed users, the registry administrator authenticates using their own credentials. The process also takes place through the Users and roles management subsystem but via the openshift-sso identity provider and is stored in KeyCloak.

For more details, you can refer to the following links:

Citizen (service resipient)

Registry user authentication
arch:architecture/platform/operational/user-management/citizen-authentication.adoc
arch:architecture/platform/operational/user-management/diia-sign.adoc
arch:architecture/platform/operational/user-management/authentication/cloud-sign.adoc

Officers (service providers)

arch:architecture/platform/operational/user-management/officer-auto-registration.adoc
arch:architecture/platform/operational/user-management/id-gov-ua-flow.adoc
arch:architecture/platform/operational/user-management/platform-evolution/registry-federation/registry-federation.adoc

8. Authorization

Access rights segregation on the Platform is implemented based on roles, which are further divided into two types: system and regulatory roles. System roles come with corresponding permissions and are delivered with the platform. Regulatory roles are designed to provide flexibility in the rights segregation process and offer developers the ability to cover all necessary needs in various registries.

You can find information about actors and roles on the Platform in the respective sections:

9. Assigning user roles

Citizen (service recipient):

The authentication process for service recipients concludes with their entry into the corresponding portal. During the initial authentication process for citizens, their profile is created in the KeyCloak Realm, and their attributes are populated with information obtained from the electronic signature and data integration with the Unified state register. The system automatically assigns one of three system roles based on the user’s attributes:

unregistered_individual — an individual unregistered_entrepreneur — an individual entrepreneur or representative unregistered_legal — a legal entity representative

These listed system roles grant service recipients access to their data and the single available business process, which is onboarding. Once a user completes the onboarding process, the temporary role with the UNREGISTERED prefix is replaced with the corresponding permanent role:

individual - an individual entrepreneur -an individual entrepreneur or representative legal - a legal entity representative

The mechanism for granting citizens access to business processes in their portal relies on these specified roles. The authorization rules for these roles in business processes are defined by the regulations developer.

Officers (service providers):

Service provider roles can be assigned during self-registration if enabled at the registry level, created directly through KeyCloak, created during batch user uploads, or acquired through a regulations process.

During self-registration, service providers authenticate themselves and enter their portal. In this process, their profile is created in KeyCloak and enriched with the appropriate attributes. Upon successful authentication, service providers are assigned the temporary role unregistered-officer. The transition from this role to the system role officer for automatically created service providers is managed entirely within the scope of business process modeling. To enhance convenience and flexibility in the authorization system, there is the option to create fully automatic (business processes that confirm the user and change the temporary role to a system role) and semi-automatic (business processes that require registry managers' intervention in the access confirmation process) business processes.

Additionally, following the principle of least privilege, default roles specified in the registry configuration are assigned to service providers created during authentication.

More detailed information is available in the sections:

Administrators:

When creating a Platform administrator or registry administrator, they are assigned standard corresponding roles by default, following the principles of the Principle of Least Privilege and Need-to-Know Principle. This ensures they have access only to the information necessary to perform their duties.

Furthermore, additional roles for platform and registry administrative services can be added via KeyCloak.

10. Managing roles and permissions

The Platform for state registries provides the capability to expand the list of roles for Officers and Citizens through regulations roles. In the future, regulations roles can be used to configure access control at the physical model level or to adjust access to specific regulations business processes.

Detailed information is available in the section:

Business process modeling and access control (RBAC)

11. RLS (Row-Level Security)

The Platform for state registries offers the ability to establish a hierarchical model of data object access based on the levels of the hierarchical structure and user roles. This enables control over access to objects based on their hierarchical position and user roles.

The hierarchical model consists of three main components:

Hierarchical structure
Assigned user attributes
RLS rules

The model allows regulatory process developers to design permission assignments for accessing registry data, taking into account the complexity of the organizational structure. An illustrative example of using the hierarchical model is the structure of a Codifier of administrative-territorial units and territories of territorial communities (UA-specific).

This functionality is specific to the Ukrainian implementation and may not apply or function as described in other contexts or regions. Please consult the local guidelines or documentation if you are implementing this outside Ukraine.

When the hierarchical model is used, effective data access permissions can be visualized as shown in the diagram.

Detailed information is available at the link: Hierarchical model

12. Managing sessions

Session management and its provision are of great importance in the context of security and the proper functioning of the Platform for state registries. A session is a temporary dialog between the user and the system that occurs during user authentication and authorization. Session management allows tracking user activity, authenticating them, setting time limits, and, if necessary, forcibly terminating user sessions.

The users and roles management subsystem is configured as follows:

Maximum session lifetime. After this period, users will be prompted to log in again

10 hours

Inactivity timeout that triggers a logout event if there’s no user activity

30 minutes.

Support for parallel sessions

Enabled

All administrative services and user portals initiate a complete logout sequence when a logout event is initiated. Session storage is designed securely and reliably. On the client side, sessions are stored in cookies, configured to only transmit over secure channels to prevent interception. Protection against unauthorized access by client scripts, such as JavaScript, is implemented to reduce the risk of cookie interception or XSS attacks. Additionally, protection against CSRF attacks is configured to ensure that cookies are used only on the intended website.

On the backend side, user sessions are stored in у Redis Sentinel.