Snow Owl security features enable you to easily secure your terminology server. You can password-protect your data as well as implement more advanced security measures such as role-based access control and auditing.
By default Snow Owl comes without any security features enabled and all read and write operations are unprotected. To configure a security realm, you can choose from the following built-in identity providers:
After configuring at least one security realm, Snow Owl will authenticate all incoming requests to ensure that the sender of the request is allowed to access the terminology server and its contents. To authenticate a request, the client must send an HTTP
BearerAuthorization header with the request. The value should be a user/pass pair in case of using
Basicauthentication or a JWT token generated by Snow Owl if using the
NOTE: It is recommended in production environments that all communication between a client and Snow Owl is performed through a secure connection.
Snow Owl sends an
HTTP 401 Unauthorizedresponse if a request needs to be authenticated.
If supported by the security realm, Snow Owl will also check whether an authenticated user is permitted to perform the requested action on a given resource.
Within an organization, roles are created for various job functions. The permissions to perform certain operations are assigned to specific roles. Members, staff or other system users are assigned particular roles, and through those role assignments acquire the permissions needed to perform particular system functions. Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning appropriate roles to the user's account; this simplifies common operations, such as adding a user, or changing a user's department.
- 1.Role assignment: A subject can exercise a permission only if the subject has selected or been assigned a role.
- 2.Permission authorization: A subject can exercise a permission only if the permission is authorized for the subject's active role.
With rules 1 and 2, it is ensured that users can exercise only permissions for which they are authorized.
S = Subject = A person or automated agent R = Role = Job function or title which defines an authority level P = Permissions = An approval of a mode of access to a resource
In Snow Owl a permission is a single value that represents both the operation the user would like to perform and the resource that is being accessed. The format is the following:
Currently there are
7operations supported by Snow Owl:
browse- read the contents of a resource
edit- write the contents of the resource, delete the resource
import- import from external content and formats
export- export to external content and formats
version- create a version in a Code System, create a release
promote- merge content from isolated branch environments to a Code System's development version
classify- run classifiers and save their results
Resources represent the content that is being accessed by a client. A resource can be anything that can be resolved to a database entry. Currently, the following resource formats are allowed to be used in a permission:
<repositoryId>- access the entire content available in a terminology repository
<repositoryId>/<branch>- access the content available on a branch in a terminology repository
<codeSystemId>- access all content of a Code System, including both the latest development and all previous releases
<codeSystemId>/<versionId>- access a specific release of a Code System
There is a special
*wild card character that can be used for both the operation and resource parts in a permission value to allow any operation to be performed on any or selected resources, or to allow certain operations to be performed on any available resources.
browse:snomedStore- browse all SNOMED CT Code Systems and their content
edit:SNOMEDCT-UK-CL- edit the
export:SNOMEDCT-US/2019-03-01- export the
2019-03-01US Extension release
*:SNOMEDCT- allow any operations to be performed on the
browse:*- allow read operations on all available resources
*:*- administrator permission, the user can do anything with any of the available resources
To configure authorization, please consult the security realm specific documentation: