The administration model
This model defines users, roles and permissions for UnityBase.
SIEM integration notice
Under Linux in case service is started by systemd all security-related changes are logged into syslog/journald (in addition
to uba_audit table) with PRIORITY=Notice
Each message is in format AUDIT={json with parameters}, example:
AUDIT={"entity":"uba_userrole","actionType":"DELETE","actionUser":"admin","remoteIP":"127.0.0.1","targetUser":"admin2","targetRole":"DataManager","entityinfo_id":337856398524417}
Possible meaning of actionType:
INSERT- AddingUPDATE- Modifying, new attributes are intoValueDELETE- RemovingLOGIN- User is logged into, HTTP request headers is intoValueattributeLOGIN_FAILED- User fails to log-inLOGIN_LOCKED- Locked user login attempt failedSECURITY_VIOLATION- Security violation, details intoValueattributeDOWNLOAD- File downloaded` (DE edition onlyPRINT- File printed` (DE edition only
Possible entity values
uba_role: rolesuba_grouprole: roles for groupsuba_els: entity-level security rulesuba_user: usersuba_usergroup: user groups membershipuba_userrole: user roles membershiporg_employee: assignment of user to employee
Examples:
actionType==='INSERT'andentity=='uba_user'mean what new user is addedactionType==='DELETE'andentity=='uba_usergroup'mean what user removed from group
Other fields meaning:
actionUser: user who do an actiontargetUser: user for whom action is doneremoteIP: IP address of callertargetRole: a roletargetGroup: a groupuserAgent: forLOGIN*events - an HTTP user-agentfromValue: addition information
Security audit and audit trail separation
Starting from ub@5.25.25 uba_audit and uba_auditTrail row visibility can be separated depends on user border unit:
- new properties
uba_audit.borderIDanduba_auditTrail.borderIDare added - new ubConfig property
security.auditBorderIDuDataPropis added - can be set to name of theSession.uDataproperty what contains Int64 value to put into uba_audit.borderID and uba_auditTrail.borderID. If not set - audits dose not separates - for members of
adminrole all rows are visible, for other members - only rows withborderID ==== Session.uData[security.auditBorderIDuDataProp]are visible - model what defines auditBorderIDuDataProp in uData must also add
UB.App.on('getBorderIDOnLoginFailure'event handler. Event is fired just after security violation withuserNameparameter, and task of the handler is to setSession.uData[security.auditBorderIDuDataProp]based on passeduserName(because on this stage Session.on('login'` is not called yet)
Classes
- uba_advSecurity_ns
- uba_als_ns
- uba_audit_ns
- uba_auditTrail_ns
- uba_els_ns
- uba_elsPermission_ns
- uba_group_ns
- uba_grouprole_ns
- uba_otp_ns
- uba_prevPasswordsHash_ns
- uba_role_ns
- uba_session_ns
- uba_subject_ns
- uba_user_ns
- uba_usercertificate_ns
- uba_usergroup_ns
- uba_userrole_ns
Types
# ubaAdvSecurityAttrs inner
Properties
ID: numberuserID: number | ubaUserAttrsUser
editCause: stringCause of change
allowedIP: stringAllowed IP address
refreshIP: booleanRefresh allowed IP
fp: stringFingerprint
refreshFp: booleanRefresh fingerprint
keyMediaName: stringKey media name
refreshKeyMedia: booleanRefresh key media name
additional: stringAdditional
mi_owner: number | ubaUserAttrsmi_createDate: Datemi_createUser: number | ubaUserAttrsmi_modifyDate: Datemi_modifyUser: number | ubaUserAttrs
# ubaAlsAttrs inner
Properties
# ubaAuditAttrs inner
Properties
ID: numberentity: stringEntity
entityinfo_id: numberInstance ID
actionType: string | ubmEnumAttrsAction
actionUser: stringUser
actionTime: DateAction time
remoteIP: stringRemote IP
targetUser: stringTarget user
targetGroup: stringTarget group
targetRole: stringTarget role
fromValue: stringOld values
toValue: stringNew values
# ubaAuditTrailAttrs inner
Properties
ID: numberentity: stringEntity
entityinfo_id: numberInstance ID
actionType: string | ubmEnumAttrsAction
actionUser: numberUser
actionUserName: stringLogin
actionTime: DateAction time
remoteIP: stringRemote IP
parentEntity: stringParent entity name
parentEntityInfo_id: numberParent instance ID
request_id: numberRequest ID
fromValue: stringOld values
toValue: stringNew values
# ubaElsAttrs inner
Properties
ID: numbercode: stringRule code
description: stringDescription
disabled: booleanDisabled
entityMask: stringEntity mask
methodMask: stringMethod mask
ruleType: string | ubmEnumAttrsRule type
ruleRole: number | ubaRoleAttrsRole
mi_owner: number | ubaUserAttrsmi_createDate: Datemi_createUser: number | ubaUserAttrsmi_modifyDate: Datemi_modifyUser: number | ubaUserAttrs
# ubaElsPermissionAttrs inner
Properties
# ubaGroupAttrs inner
Properties
ID: number | ubaSubjectAttrscode: stringCode
name: stringName
description: stringDescription
mi_owner: number | ubaUserAttrsmi_createDate: Datemi_createUser: number | ubaUserAttrsmi_modifyDate: Datemi_modifyUser: number | ubaUserAttrs
# ubaGrouproleAttrs inner
Properties
ID: numbergroupID: number | ubaGroupAttrsGroup
roleID: number | ubaRoleAttrsRole
mi_owner: number | ubaUserAttrsmi_createDate: Datemi_createUser: number | ubaUserAttrsmi_modifyDate: Datemi_modifyUser: number | ubaUserAttrs
# ubaOtpAttrs inner
Properties
ID: numberotp: stringOTP
userID: number | ubaUserAttrsUser
uData: stringuData
expiredDate: DateExpired date
otpKind: string | ubmEnumAttrsOtp kind
mi_owner: number | ubaUserAttrsmi_createDate: Datemi_createUser: number | ubaUserAttrsmi_modifyDate: Datemi_modifyUser: number | ubaUserAttrs
# ubaPrevPasswordsHashAttrs inner
Properties
ID: numberuserID: number | ubaUserAttrsUser
uPasswordHashHexa: stringPassword hash
mi_owner: number | ubaUserAttrsmi_createDate: Datemi_createUser: number | ubaUserAttrsmi_modifyDate: Datemi_modifyUser: number | ubaUserAttrs
# ubaRoleAttrs inner
Properties
ID: number | ubaSubjectAttrsname: stringRole
description: stringDescription
sessionTimeout: numberSession duration
allowedAppMethods: stringWhich application level methods are allowed
mi_owner: number | ubaUserAttrsmi_createDate: Datemi_createUser: number | ubaUserAttrsmi_modifyDate: Datemi_modifyUser: number | ubaUserAttrs
# ubaSessionAttrs inner
Properties
# ubaSubjectAttrs inner
Properties
# ubaUserAttrs inner
Properties
ID: number | ubaSubjectAttrsname: stringLogin
firstName: stringFirst Name
lastName: stringLast Name
middleName: stringMiddle name
fullName: stringFull Name
title: stringTitle
email: stringEmail
phone: stringPhone
avatar: stringAvatar
description: stringDescription
uData: stringuData
disabled: booleanDisabled
isPending: booleanRegistration pending
trustedIP: stringTrusted IPs
uPasswordHashHexa: stringPassword hash
lastPasswordChangeDate: DateLast password change date
mi_owner: number | ubaUserAttrsmi_createDate: Datemi_createUser: number | ubaUserAttrsmi_modifyDate: Datemi_modifyUser: number | ubaUserAttrs
# ubaUsercertificateAttrs inner
Properties
ID: numberuserID: number | ubaUserAttrsUser
issuer_serial: stringIssuer Serial Number
issuer_cn: stringIssuer Name
serial: stringSerial Number
certificate: ArrayBufferCertificate
certParsed: *Certificate content
isForSigning: booleanFor signing
description: stringDescription
disabled: booleanDisabled
revoked: booleanRevoked
revocationDate: DateRevocation date
mi_owner: number | ubaUserAttrsmi_createDate: Datemi_createUser: number | ubaUserAttrsmi_modifyDate: Datemi_modifyUser: number | ubaUserAttrs
# ubaUsergroupAttrs inner
Properties
ID: numberuserID: number | ubaUserAttrsUser
groupID: number | ubaGroupAttrsGroup
mi_owner: number | ubaUserAttrsmi_createDate: Datemi_createUser: number | ubaUserAttrsmi_modifyDate: Datemi_modifyUser: number | ubaUserAttrs
# ubaUserroleAttrs inner
Properties
ID: numberuserID: number | ubaUserAttrsUser
roleID: number | ubaRoleAttrsRole
mi_owner: number | ubaUserAttrsmi_createDate: Datemi_createUser: number | ubaUserAttrsmi_modifyDate: Datemi_modifyUser: number | ubaUserAttrs