Permissioning and Entitlement is one of the most critical functions of any financial trading system. Ensuring that your clients are entitled to perform their required actions and denied from all other actions is important not only for security and convenience, but it can also be a legal requirement in many cases.
Too often however it is simply incredibly difficult to determine why one particular user is permissioned for something or denied another. Necessarily the permissioning system needs to be complex, supporting rules, matches, groups and a host of other features allowing for an efficient and effective administration.
For the Hack day Bodrul and Neal decided to address this complexity. In particular we wanted to make it easier to understand how permissions were applied. There were a number of different approaches that we could have taken, but we ultimately decided that adding JMX monitoring to the Permissioning Authentication Module (PAM) was the way forward.
To achieve this we added recording of the authentication decisions made in the PAM, the system which determines whether a user is entitled to the information they have requested.
By recording the full path of the decision, a system administrator can determine precisely why a particular user’s request was accepted or rejected.
The final step is to then serialize the JSON and make it available on a JMX Mbean for monitoring.
The other end of the solution was to add a new tab in the Caplin Management Console (CMC). This Permissions tab allowed admins to monitor a given user, see all their authentication requests and drill down into the resulting decision. Each decision is made up of a set of matching rules, the permissions those rules required and the matching permissions in the user/group permission hierarchy.
With the authentication decision recording and the CMC GUI it should be easy to determine why a user is/isn’t authorized to perform a particular action.