security.rst 4.06 KB
Newer Older
1
2
Security Measures
=================
Bengfort's avatar
Bengfort committed
3

4
5
6
7
8
Account restrictions
--------------------

-  Users are automatically logged out on inactivity
-  User accounts expire on a set date
Bengfort's avatar
Bengfort committed
9
-  (Mandatory) :ref:`2fa`
10

Bengfort's avatar
Bengfort committed
11
12
.. _permissions:

Bengfort's avatar
Bengfort committed
13
14
15
16
17
Permissions
-----------

Most actions in castellum are protected by one or more permission. For
easier handling, permissions are usually not assigned directly. Instead,
Bengfort's avatar
Bengfort committed
18
19
they are collected into meaningful groups (aka :ref:`roles`). Castellum comes
with some pre-defined sample groups, but you can adapt them to your needs.
Bengfort's avatar
Bengfort committed
20

Bengfort's avatar
Bengfort committed
21
22
23
Note that the django framework automatically generates a lot of
permissions. Only a few of them are actually used. The full list is:

Hayat's avatar
Hayat committed
24
-  ``studies.approve_study``
Bengfort's avatar
Bengfort committed
25
26
27
28
29
30
31
32
33
34
35
36
-  ``studies.view_study``
-  ``studies.change_study``
-  ``studies.delete_study``
-  ``studies.access_study``
-  ``subjects.view_subject``
-  ``subjects.change_subject``
-  ``subjects.delete_subject``
-  ``subjects.export_subject``
-  ``recruitment.recruit``
-  ``recruitment.conduct_study``
-  ``recruitment.search_participations``
-  ``recruitment.view_current_appointments``
Hayat's avatar
Hayat committed
37
-  ``recruitment.change_appointments``
Bengfort's avatar
Bengfort committed
38
39
40
-  ``castellum_auth.privacy_level_1``
-  ``castellum_auth.privacy_level_2``

Bengfort's avatar
Bengfort committed
41
42
43
44
Study membership
~~~~~~~~~~~~~~~~

If a user is a member of a study, they automatically gain the special
Bengfort's avatar
Bengfort committed
45
46
``access_study`` permission in the context of that study. Study managers can
also assign additional groups to study members that only apply in the context
Bengfort's avatar
Bengfort committed
47
48
of the study.

Bengfort's avatar
Bengfort committed
49
50
51
.. warning::
    By managing study memberships, study managers can escalate their own
    priviliges inside their studies. For example, they can allow themselves to
52
    see recruitment attributes of participants.
Bengfort's avatar
Bengfort committed
53

54
55
    All studies need to be approved before they can start recruitment. The
    approver should check for suspicious settings before approving the study.
Bengfort's avatar
Bengfort committed
56
    However, for practical reasons all study settings (including memberships)
57
58
    can still be changed after the approval. Some organizations will even
    choose to allow study managers to approve their own studies.
Bengfort's avatar
Bengfort committed
59

Bengfort's avatar
Bengfort committed
60
61
.. _privacy-level:

Bengfort's avatar
Bengfort committed
62
63
64
65
66
67
68
69
70
71
Privacy levels
~~~~~~~~~~~~~~

Every subject has a privacy level. A user is only allowed to access that
subject if they have a sufficient privacy level themselves. For recruitment
attributes, you can define separate privacy levels for read and write access. A
user's privacy level is controlled via the special permissions
``privacy_level_1`` and ``privacy_level_2``. The three levels (0-2) accord to
the data security levels of the Max Planck Society.

72
73
74
75
Access to resources and general domains
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Similar to how a study membership allows a user to access a specific study,
Bengfort's avatar
Bengfort committed
76
77
users need to be authorized to access specific resources and :ref:`general
domains <general-domains>`. This can only be done by administrators.
78

Bengfort's avatar
Bengfort committed
79
80
Database separation
-------------------
81
82
83
84
85
86
87
88
89

We chose to split the data into three different categories:

-  Scientific data is handled outside of castellum. Castellum only
   provides the pseudonyms that are used to map this data to subjects.
-  Data relevant for recruitment is handled in castellum.
-  Contact data is also handled in castellum, but in a separate database
   to provide an additional barrier.

Bengfort's avatar
Bengfort committed
90
91
92
Storing contact data in a separate database provides a clear structure for
developers that should help avoiding critical data leaks. Even if an attacker
is able to dump a whole table or even a whole database, this structure still
Hayat's avatar
Hayat committed
93
94
95
limits the impact. An attacker without access to castellum would need physical
access to both databases in order to get the same level of access as with
castellum.
96

Bengfort's avatar
Bengfort committed
97
98
99
100
101
However, it is important to understand that the barrier between recruitment and
contact data is not that high. Since castellum has full access to both, an
attacker can also gain full access. Spreading the system across several
databases on different servers or even in different organizations does not help
much if there is still a single point of entry.
102

Bengfort's avatar
Bengfort committed
103
104
105
Monitoring
----------

Bengfort's avatar
Bengfort committed
106
In order to allow analysing suspicious behavior, critical actions such as
Bengfort's avatar
Bengfort committed
107
search, deletion, or login attempts are logged to a separate log file.