RBAC: Securable Resources

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.2p0

CONFIDENTIAL

CodeSecure Inc

General

RBAC: Securable Resources

Under role-based access control (RBAC), a role can be assigned a particular permission for a particular resource. We call this relationship a role-permission.

This page describes the various CodeSonar resource types and their relationships.

Resources and Applicable Permissions
Relationships
Special-Case Resources

Under role-based access control (RBAC), a role can be assigned a particular permission for a particular resource. We call this relationship a role-permission.

We say that:

A CodeSonar element is a securable resource if it is subject to access control.
A permission is applicable to a resource if the permission controls access to some operation on that resource.

Resource Types and Applicable Permissions

Resource Type	Description	Applicable Permissions
Project Tree	A hierarchical structure for managing projects. The Project Tree with ID 1 is at the root of the hierarchy: we refer to this as the Root Project Tree .	PTREE_, PROJECT_, ANALYSIS_*
Project	A CodeSonar project. Every project belongs to a project tree.	PROJECT_, ANALYSIS_
Analysis	A CodeSonar analysis. Every analysis belongs to a project.	ANALYSIS_*
Named Search	A saved search (in any search domain).	NAMEDSEARCH_*
Launchd Group	A hierarchical structure for managing launch daemons. The Launchd Group with ID 1 is at the root of the hierarchy: we refer to this as the Root Launchd Group .	LAUNCHDGROUP_, LAUNCHD_
Launch Daemon	A CodeSonar launch daemon. Every launch daemon belongs to a launchd group.	LAUNCHD_*
Warning Processor	A CodeSonar warning processor.	WPROCESSOR_*
Saved Chart	A chart that has been saved using the Save this chart functionality. The data included when a saved chart is viewed will depend on the user's permissions for the relevant resources. The shortcut chart links provided on the Home, Project, and Analysis pages are not saved chart instances.	SAVEDCHART_*
Report Template	A management report template.	REPORTTEMPLATE_*
Role	An RBAC Role.	ROLE_*
< global permissions>	Global permissions apply hub-wide, rather than to a specific resource. For example, global permissions control access to hub commands and administrative settings.	G_*

Relationships

The securable resource types can be divided into two groups.

Independent resource types exist in isolation: there are no relationships between different independent resource types and no relationships between resources of any of these types. A role-permission involving a resource of independent type can be direct or role-inherited (or both): it cannot be resource-inherited, since there is no resource hierarchy to inherit through, nor can it be the source of a resource-inherited role-permission for another resource.
The independent resource types are Warning Processor, Saved Chart, Named Search, Report Template, and Role.
Hierarchical resource types exist in one of two hierarchies.
- Project Tree / Project / Analysis : each Project Tree contains zero or more Project Trees and zero or more Projects; each Project contains zero or more Analyses. The root of the hierarchy is always the Root Project Tree.
- Launchd Group / Launch Daemon : each Launchd Group contains zero or more Launchd Groups and zero or more Launch Daemons. The root of the hierarchy is always the Root Launchd Group.
A role-permission involving a resource of hierarchical type can be direct, role-inherited, or resource-inherited (or any combination of these).

Special-Case Resources

Certain resources have special permission handling.

Immutable securable resources cannot be deleted or modified.
Undeletable securable resources cannot be deleted, but can be modified.
A small number of resources that would otherwise be of securable type are treated as unsecurable: all users have the same degree of access to these resources, and this degree of access cannot be modified.

Immutable Securable Resources

An immutable securable resource is subject to access control but cannot be deleted or modified, even by a user that has the appropriate *_DELETE or *_MODIFY permission for that resource.

There is currently one set of immutable securable resources: the all named searches (there is one for each search domain).

Note also that some (mutable and immutable) resources have immutable role-permissions associated with them.

Undeletable Securable Resources

An undeletable securable resource is subject to access control but cannot be deleted, even by a user that has the appropriate *_DELETE permission for that resource. Note that all immutable resources are undeletable, but not all undeletable resources are immutable.

The following resources are undeletable.

The root project tree.
The root launchd group.

Unsecurable Resources

The following are not securable resources and are not subject to RBAC.

Predefined management report templates are available to all users, but cannot be modified or deleted.
Reports generated from the predefined templates are not themselves exempt from RBAC. For more information, see Management Reports: Permissions.
Chart shortcuts are available to all users, but cannot be modified or deleted.
The charts linked by the shortcuts are not themselves exempt from RBAC. For more information, see Charts and Tables: Permissions.

To report problems with this documentation, please visit https://support.codesecure.com/.