Accounts

An account is a representation of a single human being that can log into Portal to view and manage resources, notifications and events. They're inspired by Microsoft accounts within an organisation. [1].

  Caution

An account is not a representation of a client of a customer company who has devices allocated to them, but who cannot log into the portal! (For example: Mrs. Jones is 85 years old and lives in an elderly care facility, and has devices allocated to her. She doesn't need an account; only the staff who cares for Mrs. Jones need accounts to maintain the devices. However, Mrs. Jones' children can have accounts created for them in order to be informed about what's going on.)

The account model contains a number of properties which contain the state; state is often restricted to specific values, and their state can be used to determine the behavior of the account. See AccountDto for more information.

Key Aspects of an Account

Identification The account is associated with unique identifiers (the GUID ID and an email address) that distinguish it from other accounts within the system. Both properties have to be unique.
Authentication This process verifies the identity of the account holder using a password, and optionally Multi-Factor Authentication (MFA).
Authorization Accounts have role(s) assigned to them within a scope that determine what resources or actions it can access. Role permissions can be fine-grained, allowing for specific actions, or broad, providing access to entire systems or functions.
Profile Information Accounts often include profile information such as the account holder’s name, contact details, and roles within the organization, which may be used for personalization or administrative purposes.

Multi-Factor Authentication (MFA)

Multi-Factor Authentication [2] is a security process that requires users to provide multiple forms of identification to verify their identity before granting access. Whether this is required depends on the settings provided by the customer company. MFA enhances security by requiring two or more verification factors, which are generally categorized as:

  • Something You Know: A password or PIN.

  • Something You Have: A physical token, smart card, or a mobile device receiving a one-time code.

  • Something You Are: Biometric verification, such as fingerprint, facial recognition, or voice recognition.

MFA reduces the risk of unauthorized access, even if one factor (like a password) is compromised.

Permissions

Permissions are settings that control what an account can access or do within a system. For our purposes, we use Role-Based Access Control (RBAC)[3]: Users are assigned roles, and each role that these users share between each other has a set of permissions. This means users can be assigned a role based on their job function, and if changes are made to that role, all other users with that role will inherit the changes.

The permissions that are available are listed under PermissionValueMap

Permissions should follow the principle of the least privilege, granting users the minimum level of access necessary to perform their tasks.

Bibliography

[1] Microsoft, Azure Active Directory, Microsoft, https://docs.microsoft.com/en-us/azure/active-directory/
[3] David F. Ferraiolo; D. Richard Kuhn, Proceedings of the 15th National Computer Security Conference, pp. 554-563, U.S. Department of Commerce, https://csrc.nist.gov/files/pubs/conference/1992/10/13/rolebased-access-controls/final/docs/ferraiolo-kuhn-92.pdf

See Also

Reference