User Management and Access Control

SheetKraft supports two ways of managing user information

• Local Users: User information including authentication credentials is stored and maintained within the SheetKraft database.
• Active Directory (AD) Users: User authentication credentials are stored in Active Directory. Profile information such as First Name, Last Name, email address, etc. are sourced from Active Directory.

A local administrative user account is created at the time of installation. This account can be used to create local or AD users.

The creation of local users and logins by existing local users can be disabled entirely if necessary via application configuration. Doing this ensures that basic user management is entirely controlled by AD.

Local Users
An administrative user can create local users (if allowed by configuration) by entering the user’s profile details. The administrator can choose to enter a password (if allowed by configuration) or leave the password field blank to auto-generate a password. If a password is auto-generated, a link is sent to the newly created user’s email address to set a new password.

The SheetKraft database maintains a salted hash of the password of each local user. The following functionality is available for managing the password:

• Change Password: A user can change their own password at any point in time after a successful login.
• Reset Password: A user can request a password reset. An email is sent to the email address in the user’s profile with a password reset link. This link can only be used once within a one-hour span of the reset request. Clicking the link leads to a page where the user can enter a new password. If the user ignores the email, the existing password remains valid.
• Set New Password: An administrative user can set a new password for any user. It is the administrative user’s responsibility to communicate the new password to the user. This functionality can be disabled via configuration.
• Administrative Password Reset: An administrative user can reset a user’s password. This is similar to the user resetting their own password except that the existing password is invalidated.

Active Directory Users
SheetKraft can be configured to connect to Active Directory (AD) for user management.

For every user in AD that needs to access SheetKraft, an administrative user needs to create a new user with an AD id. SheetKraft connects to AD to retrieve user profile details and stores them in the database. The password remains in AD and is never known to SheetKraft. Whenever a user attempts to login, SheetKraft uses AD to authenticate the user and refresh the user’s profile details (if the login is successful).

Session Management
SheetKraft uses bearer token authorization for session management.

Whenever a user logs in, a login token is generated and sent to the client software (browser or SheetKraft addin). The client is expected to send the token in an HTTP header for every HTTP request. Cookies are not used. Active login tokens are maintained in the SheetKraft database and token validity is checked for every request.

The login token is short lived and expires in 15 minutes (This interval can be configured). To keep the session alive, the client software must keep sending requests to issue a fresh token. The javascript code in the SheetKraft web application sends AJAX requests periodically for this purpose. The code also terminates the session in case of 15 minutes of user inactivity.

Any login by a user automatically terminates any other session by the same user. This ensures that the same user cannot have two concurrent sessions.

Access Control
Activities are the unit of work in SheetKraft. Access control in the context of SheetKraft primarily (but not exclusively) controls access to activities.

Access control is achieved with Roles and Rights

Role
A set of users can be assigned a role to make it easy to grant or deny rights to multiple users. A single user may be assigned multiple roles.

Rights
SheetKraft has several pre-defined rights. The most important rights are:

• sk.ViewActivity: The right to view an activity
• sk.RunActivity: The right to run an activity
• sk.ViewActivityFile: The right to view the Excel workbook underlying the activity
• sk.EditActivity: The right to make changes to the Excel workbook underlying the activity

Some rights are implied by other rights. For example granting sk.RunActivity implicitly grants sk.ViewActivity. Conversely, denying sk.ViewActivity implicitly denies sk.RunActivity.

Rights can be granted or denied at multiple levels. For example, the rights described above can be granted or denied at the following scopes:

• For all activities
• For all activities in a specific schema
• For all activities in a specific schema and group
• For all activities in a specific schema, group and function
• For an individual activity

Rights can be granted or denied to an individual user or to a role.

The rules to determine effective rights are described below:

• A user does not have any rights granted by default.
• Denying a right takes precedence over any grants – direct, indirect, or implied.
• Granting a right at a specific scope grants all implied rights at the same scope.
• Denying a right at a specific scope denies all rights that would have implied it at the same scope (This is the converse of the rule above).
• The set of grants and denials for a specific user is the union of direct grants and denials (user level) and indirect grants and denials (role level) via all roles assigned to the user.

Security Log
All information about rights, roles, grants and denials is maintained in the SheetKraft database. Any change to this information is also maintained as a log in the database itself. This log is available to administrative users from the web application.

Security Matrix
A security matrix is available from the web application. This matrix lists all the effective rights (at each scope) for each user. A drill-down view for a specific effective right is also available. This view makes it possible to trace the specific grants and denials that lead to that specific effective right.