5. Security

Aperture is only accessible for authenticated users. An authenticated user can have multiple authorised roles on Aperture projects. Users can be provisioned from the commandline, or by using the provisioning API.

5.1. Authentication

Users can authenticate themselves using a username and a password. Depending on the configuration of Aperture these credentials are verified locally or using a remote LDAP. The known roles for a user are always recorded and administrated inside Aperture.

5.2. Role model & Authorisation

MGRID Aperture has roles for project users:

  • Observer: an observer has viewing rights on a project, but can not edit the project. This role is intended to be for sharing a project flow, without allowing edits.

  • User: a project user can create, update, delete and view attributes and steps inside a project. This role is intended for the project owner. All normal Aperture project actions are available to users with this role.

In addition to the project roles there are also global roles. These roles are not tied to a project, but directly to a particular user:

  • Administrator: an administrator can view, create, update and delete attributes and steps on all projects. This role is intended for data stewards that support project users in the definition of their project flows.

Note that for project to be visible to a user he/she must hold a project role, or have the global administrator role.

5.3. Backend Integration APIs

MGRID Aperture has backend APIs that facilitate application integration.

5.3.1. Management API

APIs that are focussed around usage statistics of Aperture itself, and providing a machine entrance for provisioning new users and projects. There is no access to data from datasources, user project definitions or project exports. Authentication is separate from the frontend authentication. Backend credentials cannot be used to obtain frontend access and vice versa.

5.3.2. Upload Token API

An API that allows upload only of datasets by authorised users in known projects. This API can be used by anybody presenting a valid token, and provides only the capability to upload new datasets. Project definitions, project exports are not available.