RevasOS LearnUnderstanding access policies
Access policies allow the system's predefined roles to be used in a powerful and granular way; they also enable the effective adoption of best practices including that of the security principle of least privilege.
What does an access policy contain
An access policy is a document that defines who (collaborators or teams) has access (roles) to what function or resource of the system. Access permissions to a particular part of the system is not automatically given to a new contributor; in fact, it is necessary for a system administrator (super admin) to change the access policy (or add the contributor to a team already in the access policy).
Whenever a user tries to perform an operation, the system identifies the correct policy and checks whether that contributor has at least one role with the necessary permissions. It is also checked whether the collaborator is part of a team that has the necessary permissions.
If a collaborator or team is removed from the system, they are automatically removed from the access policy. In fact, if a collaborator is added back to the organization it will be necessary to redefine their associated roles.
Consensus policies and system limitations
RevasOS uses the consent-based access policy model (called allow policy). The allow policy then describes who can access what functions (as opposed to a denial-based access policy where it describes who cannot access certain functions).
It is possible to configure the access policy for the entire organization, while it is not available to define multiple resource-based policies. For example, it is possible to assign the "contact administrator" role to a collaborator, but it is not possible to assign the same role for only part of the contacts.