Skip to end of metadata
Go to start of metadata

Authentication and Authorization Model



CollectionSpace uses Spring Security to authenticate a user and authorize a user's request using role-based permissions.

As of v5.0, CollectionSpace uses a PostgreSQL database (separate from collections data) to manage AuthN/AuthZ data.  The database is named cspace_$InstanceID where $Instance ID is the deployment specific instance ID.  Systems supporting a single instance of CollectionSpace usually use the default instance ID of "_default".  So a common name for the database is "cspace_default".  The rest of this documentation will assume a database name of "cspace_default"

All enforcement of CollectionSpace user actions are performed by Spring Security.  The CollectionSpace defined AuthN/AuthZ tables are never used directly by Spring Security.  The CollectionSpace tables are used to provide a user-friendly representation of the underlying Spring Security resources -see the "Spring Security AuthN/AuthZ tables" section below.

The "cspace_default" database contains the following tables:

CollectionSpace Defined AuthN/AuthZ tables

users - a list of all the CollectionSpace end-users includes username and password for the user

accounts_common - account details for a user.  The userid column of this table maps to the username column of the users table

tenants - list of all the tenants in a deployment of CollectionSpace

accounts_tenants - a table relating a user from the accounts_common table to a specific tenant in the tenants table.  This table's tenants_accounts_common_csid column maps to the csid column of the accounts_common table

roles - a list of existing authorization roles.  The tenant_id column of this table indicates which tenant a role is associated with.

accounts_roles - a table relating a user to a set of roles from the roles table.  This table's account_id column maps to the csid column of the accounts_common table

permissions - a table listing all the end-user permissions for CollectionSpace resources/records.  The tenant_id column of this table indicates which tenant a permission is associated with.

permissions_roles - a table relating a set of permissions to each role.  This table's permission_id column maps to the csid column of the permissions tables.  And the role_id maps to the roles table's csid column.

permissions_actions - a table for associating a specific action (CREATE, READ, UPDATE, DELETE, etc) on a CollectionSpace resource type (collectionobject, loansin, etc).  This table is a critical link to the underlying Spring Security authorization mechanism.  This table's objectidentity column maps to Spring Security's object_id_identity column of it's acl_object_identity table.

tokens - these are transient tokens used for temporary access to "published" resources/records -see the "publish" endpoint of the Blob and Media services for details.


Spring Security AuthN/AuthZ tables

acl_sid - This table lists Spring Security's role IDs.  The rolename column of CollectionSpace's roles table maps to this tables sid column.

acl_object_identity - This table contains all the action/resource tuples that Spring Security enforces.  The object_id_identiy column maps to CollectionSpace's objectidentity column of the permissions_actions table.

acl_entry - This is Spring Security's "lookup" table to see if a given sid (aka Role) is allowed access (an action on a resource/record type) to the action/resource tuple (acl_object_identity) from the acl_object_identity table.

acl_class - A table for describing the different types/classes of Spring resources.  CollectionSpace has only one type/class which is "URI".