Introduction to Access Control Unit
The Nesstar Server provides an Access Control Unit (ACU) that controls access to data and operations made available by the server.
The ACU controls functions such as the following:
- Entrance of authorized and unauthorized users.
- Allows operations to authorised users.
- Challenges users (when necessary) by requesting they perform specific actions to gain access to a particular resource.
A challenge is a dialogue between the user and the server and may appear in one of several ways:
A challenge sequence is a series of challenges issued by the server.
- As a login form ('challenging' the user for their username).
- Request for an acceptance of an agreement.
- Request to choose a project with which an affiliation exists.
The simplest challenge type is a login form, which is presented to the user if a login has not been performed before a protected operation.
By default the server supports the following kind of challenges (more can be added):
- login: users are requested to identify themselves by a user name and password.
- accept agreement: users are requested to accept a particular agreement issued by the provider of the data.
- select project: users can have one or more projects registered in their name; users are requested to state the particular project for which they are accessing a resource.
- select purpose: users can have various purposes registered; if necessary, users are requested to state the particular purpose for which they are accessing the resource.
The Nesstar Authentication process behaves as follows:
- A user requests a server operation.
- The Access Control Unit retrieves the user details from the user database.
- The ACU authenticates the user details.
- The ACU checks whether the user is authorised to perform the requested operation.
- If the user is not authorised or further authentication details are required then the ACU issues a challenge for authentication.
- At the end of the challenge sequence the user is granted or denied access to the resource according to the access conditions.
- The user is either authorised or not authorised.