SheetKraft supports two ways of managing user information
A local administrative user account is created at the time of installation. This account can be used to create local or AD users.
The creation of local users and logins by existing local users can be disabled entirely if necessary via application configuration. Doing this ensures that basic user management is entirely controlled by AD.
An administrative user can create local users (if allowed by configuration) by entering the user’s profile details. The administrator can choose to enter a password (if allowed by configuration) or leave the password field blank to auto-generate a password. If a password is auto-generated, a link is sent to the newly created user’s email address to set a new password.
The SheetKraft database maintains a salted hash of the password of each local user. The following functionality is available for managing the password:
Active Directory Users
SheetKraft can be configured to connect to Active Directory (AD) for user management.
For every user in AD that needs to access SheetKraft, an administrative user needs to create a new user with an AD id. SheetKraft connects to AD to retrieve user profile details and stores them in the database. The password remains in AD and is never known to SheetKraft. Whenever a user attempts to login, SheetKraft uses AD to authenticate the user and refresh the user’s profile details (if the login is successful).
SheetKraft uses bearer token authorization for session management.
Whenever a user logs in, a login token is generated and sent to the client software (browser or SheetKraft addin). The client is expected to send the token in an HTTP header for every HTTP request. Cookies are not used. Active login tokens are maintained in the SheetKraft database and token validity is checked for every request.
Any login by a user automatically terminates any other session by the same user. This ensures that the same user cannot have two concurrent sessions.
Activities are the unit of work in SheetKraft. Access control in the context of SheetKraft primarily (but not exclusively) controls access to activities.
Access control is achieved with Roles and Rights
A set of users can be assigned a role to make it easy to grant or deny rights to multiple users. A single user may be assigned multiple roles.
SheetKraft has several pre-defined rights. The most important rights are:
Some rights are implied by other rights. For example granting sk.RunActivity implicitly grants sk.ViewActivity. Conversely, denying sk.ViewActivity implicitly denies sk.RunActivity.
Rights can be granted or denied at multiple levels. For example, the rights described above can be granted or denied at the following scopes:
Rights can be granted or denied to an individual user or to a role.
The rules to determine effective rights are described below:
All information about rights, roles, grants and denials is maintained in the SheetKraft database. Any change to this information is also maintained as a log in the database itself. This log is available to administrative users from the web application.
A security matrix is available from the web application. This matrix lists all the effective rights (at each scope) for each user. A drill-down view for a specific effective right is also available. This view makes it possible to trace the specific grants and denials that lead to that specific effective right.