Access Control

Access Control Configuration File

To provide an identity to each user, you define an access control configuration file in JSON format. Each identity provider has a different configuration file to enable authorization. The default name for the JSON file for Azure® Active Directory is azure_ad.json.

Azure Active Directory configuration parameters are as follows:

  • tenantId (Required): Azure Active Directory tenant ID. To locate your tenant ID, go to https://portal.azure.com. On the left panel, select Azure Active Directory, then on the Overview panel, select Properties. The hexadecimal code under Directory ID is your tenant ID.

  • serverAppId (Required): MATLAB® Production Server™ application ID as registered in Azure Active Directory. To locate your serverAppID, go to https://portal.azure.com. On the left panel, select Azure Active Directory, then on the Overview panel, select App registrations. Then select MPS server to find the Application ID, which is your serverAppID.

  • jwksUri (Optional): Used to get Azure Active Directory JSON Web Key Set that is used to verify token signature. Default is https://login.microsoftonline.com/common/discovery/keys.

  • issuerBaseUri (Optional): Used with tenantId to validate issuer of the token. For Azure Active Directory, default is https://sts.windows.net/.

  • jwksTimeOut (Optional): Maximum time the jwks request is allowed to take. Default is 120 seconds.

The format of the configuration file is as follows:

{
  "tenantId": "54ss4lk1-8428-7256-5fvh-d5785gfhkjh6",
  "serverAppId": "j21n12bg-3758-3r78-v25j-35yj4c47vhmt",
  "jwksUri": "https://login.microsoftonline.com/common/discovery/keys",
  "issuerBaseUri": "https://sts.windows.net/",
  "jwksTimeOut": 120
}

Access Control Policy File

To use access control for MATLAB Production Server, the server admin should define an access control policy file in JSON format. The default name for the JSON file is ac_policy.json.

The policy file is read on server startup. If it does not exist or contains errors, the server does not start, and an error message is written to main.log file found in the log-root directory.

Once the server has started, the policy file is scanned every five seconds for changes. If the policy file is deleted or contains errors, the server continues to run, but all requests are denied. Again, an error message is written to the main.log file.

The JSON file has a single JSON object that defines the schema version and a Policy Block. The Policy Block consists of a list of policies. Each policy contains a Rule Block that defines a set of rules and consists of a Subject Block, a Resource Block, and an Action Block.

The schema version has a value that is a JSON string in the format <major#>.<minor#>.<patch#>, with each number specified as a nonnegative integer.

Policy Block

The policy block contains a list of policies required for access control. Currently, only a single policy can be specified in a policy file.

"policy" : [
   {
     "id": "<policy_id>",
     "description": "<policy_description>",
     <rule_block>
   }
]

An ID is required for each policy. <policy_id> must be unique for each policy. Any leading or trailing white space is removed.

The description is optional for a policy.

Rule Block

The rule block contains a list of rule objects.

"rule":[
  {  
    "id": "<rule_id>",
    "description": "<rule_description>",
    <subject_block>,
    <resource_block>,
    <action_block>
  }
]    

Multiple rules can exist in a rule block, for example: "rule": [<rule>, <rule>, ...].

An ID is required for each rule. <rule_id> must be unique for each rule. Any leading or trailing white space is removed.

The description is optional for a rule.

Subject Block

The subject block of a rule defines who can access the resources. Currently, only the groups attribute is supported.

"subject" : {"groups": ["<group_id>", "<group_id>", ...]}

For Azure Active Directory, a list of group IDs can be specified to control which groups can access the resources defined in the rule.

Get Group ID from Azure Active Directory Based on Group Display Name

  1. Open Azure Active Directory graph explorer on https://graphexplorer.azurewebsites.net, and login.

  2. Use query https://graph.windows.net/<tenant>/groups?$filter=startswith(displayName,'<groupname>') where <tenant> is the tenant name, and <groupname> is the name of a specific group.

  3. Search for objectId of the specific group in the response.

Get All Group IDs for a Certain User from Azure Active Directory

  1. Open Azure Active Directory graph explorer on https://graphexplorer.azurewebsites.net, and login.

  2. Use query https://graph.windows.net/<tenant>//<tenant>/users/<username>@<tenant>/memberOf where <tenant> is the tenant name, and <username> is the name of a specific user.

  3. For all groups where securityEnabled is true, search for objectId in the response.

Resource Block

The resource block of a rule describes the object being accessed. Currently, only a ctf file can be accessed.

"resource" : {"ctf": ["<ctf_name>", "<ctf_name>", ...]}

You can use ctf_name to access multiple ctf files by using the wildcard character *. For example, if you want to access all ctf files whose names start or end with 'test', you would specify <ctf_name> as test* or *test, respectively. If you use * as the <ctf_name>, you can access all the ctf files.

Action Block

The action block of a rule describes the action being attempted on the resource. Currently, only the action execute is supported.

"action" : ["execute"]

Example of a JSON Policy File.  The following example defines an access control policy with three rules.

  • All users belonging to a group with ID aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa can execute the ctf file magic.

  • All users belong to groups with id aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa and bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb can execute the ctf files monteCarlo and fastFourier.

  • All users belong to Quality Engineering group cccccccc-cccc-cccc-cccc-cccccccccccc can execute all ctfs starting with test.

Access is denied for all other requests.

{
  "version": "1.0.0",
  "policy" : [
    {
      "id": "policy1",
      "description": "MPS Access Control policy for XYZ Corp.",
      "rule": [
        {
          "id": "rule1",
          "description": "group A can execute ctf magic",
          "subject": { "groups": ["aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"] },
          "resource": { "ctf": ["magic"] },
          "action": ["execute"]
        },
        {
          "id": "rule2",
          "description": "group A and group B can execute ctf monteCarlo and fastFourier",
          "subject": { "groups": ["aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa", "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"]  },
          "resource": { "ctf": ["monteCarlo", "fastFourier"] },
          "action": ["execute"]
        },
        {
          "id": "rule3",
          "description": "QE group C can execute any ctf starts with test",
          "subject": { "groups": ["cccccccc-cccc-cccc-cccc-cccccccccccc"] },
          "resource": { "ctf": ["test*"] },
          "action": ["execute"] 
        }
      ]
    }
  ]
}

See Also

External Websites