Security and Access Permissions Hierarchy

Overview

The articles in this section deal with all aspects of User Security: how to enforce and control access rights for ITAS Users. This section covers:

Authentication - the process of verifying who you are
Authorisation - the process of verifying that you have access to something

Users are authenticated through a combination of a Windows account (Active Directory) and an ITAS (CMP) account. When using ITAS via a desktop, identification is provided through logging into the domain hosting ITAS, where the name is passed through and linked to a corresponding ITAS account (for this reason they must be the same account name). When accessing ITAS via the Web Portal, the user will be prompted for their username and password.

Users are authorised to access ITAS at Application and Data levels.

Active Directory Group

There are two principle groups managed through Active Directory that control the top level access rights for a user:

ITAS Administrators
ITAS Users

The AD group names are configurable and can be assigned through Trader Desktop -> System Settings -> Configure Active Directory.
Members of the ITAS Administrators AD group have access to restricted menu options in Trader Desktop - see here for the list.

ITAS Licence

ITAS (CMP) accounts are assigned a licence through AUTH; without an appropriate licence access will be prevented. *

Platform Access

Depending on requirements, users can be granted access to ITAS via a Desktop connection, Web (Access) Portal through a browser connection or both. Access rights are maintained through CMP.

Trading Entity

Users can be assigned access to specific Trading Entities, with an associated privilege level. Trading Entity access rights can be maintained through CMP or User Admin.

Menu Options (Applications)

At Trading Entity level, users can be granted access to ALL menu options (full access or read only), or selected menu options.

Privileges

Privileges are primarily function-driven, and therefore are generally associated with specific menu options.

* For clients operating with a concurrent user licence, individual accounts do not need an ITAS Licence as access is managed dynamically at run-time

Figure 1: hierarchy of precedence for the authentication and authorisation for a user

Contents of Security and Access Permissions

ITAS Administrator Menu Options
User Types enable users to be separated into groups according to their user level or access requirements. Assigning a Role to a user ensures they are only granted privileges to access areas of ITAS appropriate ...
CMP - User Profile Maintenance
Admin tool for managing user account authentication
AUTH - ITAS User Authorisation
Admin tool for managing user account authorisation
User Privileges
Access rights to functions and features granted to users at Company/Menu Option level
User Claims
Access rights to data granted to users at Entity Framework level