Authorization and Access Control¶
Fiddler access control comes with some preset roles. There are two global roles at the organization level
- ADMINISTRATOR: has complete access over every aspect of the organization. Everyone else is a MEMBER
- MEMBER: All MEMBERs of the organization can create projects
Teams are a group of users.
- a user can be a MEMBER of zero or more teams
Project is a higher level entity in Fiddler that contains Dataset and Models. Project support three roles types
* OWNER * WRITE * READ
- User who creates a project, is assigned the OWNER role by default
- Project OWNER or organization ADMINISTRATOR can share / unshare projects with other users or teams
- When sharing a project with other users or teams, a project ROLE is assigned.
- OWNER only (and the organization ADMINISTRATOR) have access to that project.until a project is explicitly shared with others.
In a software system which is used by a multitude of users, there is a need to provide some mechanism to manage the access to the data and metadata contained within the system.
There are two primary methods for managing the access.
With Authentication, we establish the identity of the user i.e., they are who they claim they are. This property is used to allow or disallow users into the system.
With Authorization, we establish whether an authenticated user is allowed to access the resources or perform specific operations etc.
In addition, in the case of authorization, a user or application is granted access at an API level and the permissions / policies for who can use an API are already determined.
At a high level, we have users, resources and actions that are the primary variables in this design.
Is a user allowed to act on a resource?
For example: Is Alice allowed to create the lending model? Is Bob allowed to read the lending dataset metadata? Is Charlie allowed to delete the lending project?
Role Based Access Control¶
These are the subjects in the above question. For example, alice, bob, charlie are the subjects (users).
The verbs in the question. For example, create, read, delete
The objects in the question. For example, lending dataset, lending model, lending project.
Users can be binned into roles based on attributes or usage patterns. For examples, fiddler organization administrators, team members, project owners, project writers, project readers etc.
At the time of this release, Fiddler is set up with the following organization roles:
At the highest level, each organization in fiddler is setup with 2 global roles.
- ADMINISTRATOR role is an organization-wide super-user role.
- Everyone else is a MEMBER.
Team Roles: [MEMBER]¶
In fiddler, teams are used to group users. These teams can be created and managed inside fiddler or shadow teams can be created and managed for the teams / groups in your internal directory service like LDAP / Active Directory.
- The team MEMBER role maps a user to a team.
The team roles are associated with project roles i.e., a team can be granted 'READ', 'WRITE', 'OWNER' roles on a project.
Project Roles: [OWNER, WRITE, READ]¶
In Fiddler, we use projects to group datasets, models and related artifacts and teams to organize users.
So, any member in an organization is able to CREATE a project and upload datasets and models into the project.
- The project OWNER role is assigned by default to the user who creates the project. Users with the OWNER role are super-users for the project.
- Any user or team with a project WRITE role can perform operations that result in a "WRITE" operation. e.g., upload datasets and/or models, use slice and explain, send events to fiddler for monitoring etc.
- A user or team with a project READ role can only perform operations like getting a project, dataset, model metadata, access pre-existing charts etc.
The project roles can be assigned to individual users or teams by the project OWNER or an organization ADMINISTRATOR.