User role to view company details

[Erikvv]

Proposal summary

• Create roles in keycloak which give permission to view the details of companies
• Assign these roles to Zenmo and Energieke Region personnel but not to civil servants
• Implement permission checks in the model when showing sensitive company data

Background

In the Drechtsteden project, civil servants of municipalities should not have access to data of individual companies. The consequence is that they currently can't use the interactive LUX Energy Hub models.

This pertains to the following 7 models:

• Alblasserdam
• Hardinxveld-Giessendam
• Sliedrecht
• Dordrecht
• Papendrecht
• Zwijndrecht
• Hendrik-Ido-Ambacht

In the long term, I wish we eventually have a more comprehensive access control strategy based on resources and scopes (lux-website#306). However this is a big project and I don't oversee all the implications yet to create a minimal version.

Constraints

To keep this a quick win we preferably stay close to the currently implemented structure:

• Communicating user privileges to the simulation model is done through the user ID token
• The user ID token can only contain roles

Implementation

Keycloak

Create a new client "lux_access_roles". Add the following roles:

• alblasserdam_view_company_details
• hardinxveld_giessendam_view_company_details
• sliedrecht_view_company_details
• dordrecht_view_company_details
• papendrecht_view_company_details
• zwijndrecht_view_company_details
• hendrik_ido_ambacht_view_company_details

Assign these roles to Zenmo and Energieke Regio personnel but not to the civil servants.

Library

Modify the existing but unused library zero-access to check the roles in client "lux_access_roles".

Package a JAR file to import in the Drechtsteden model.

Example library usage:

import static energy.lux.access.LuxAccessKt.hasRole;

if (hasRole("zwijndrecht_view_company_details", idToken)) {
    // show GUI element
}

Relevant code:

• https://github.com/Zenmo/zero-access/blob/main/src/main/kotlin/ZeroAccess.kt
• https://github.com/Zenmo/uplux/blob/main/src/main/java/energy/lux/uplux/JWTDecoder.java

Generic model code

To zerointerfaceloader add a new interface:

interface AccessPolicy {
    boolean mayViewCompanyDetails();
    
    AccessPolicy AllowAll = () -> true;

    AccessPolicy DenyAll = () -> false;
}

To zerointerfaceloader.Zero_Interface add a new parameter p_accessPolicy with a default value AccessPolicy.AllowAll

In places where sensitive data is shown the UI code calls p_accessPolicy.mayViewCompanyDetails() beforehand. If this returns false, display a placeholder or alert dialog box informing the user that he may not view this part of the model.

Relevant code:

• zero_Interface-Loader/_alp/Agents/Zero_Interface/Levels/Level.level.xml

  Line 1010 in f9fe8db

  uI_Company.va_companyUI.navigateTo();

• zero_Interface-Loader/_alp/Agents/Zero_Interface/Code/Functions.java

  Line 3033 in f9fe8db

  uI_Company = add_pop_UI_Company();

• Probably many more places....

Drechsteden model code

• In Project_selection.xlsx add a new column view_company_details_role filled with the roles above.
• Add a new class:

import static energy.lux.access.LuxAccessKt.hasRole;

@lombok.Builder
class RoleBasedAccessPolicy implements AccessPolicy {
    private String viewCompanyDetailsRole;
    private String userIdToken;

    @Override
    public boolean mayViewCompanyDetails() {
        return hasRole(viewCompanyDetailsRole, userIdToken);
    }
}

• Bring the class and parameters together in startup/loader code:

project_interface.p_accessPolicy = RoleBasedAccessPolicy
    .builder()
    .viewCompanyDetailsRole(...)
    .userIdToken(...)
    .build();

Model Development Experience (DX)

We need some easy way to obtain an ID token, for example Zenmo/lux-website#230 -> asked Kofi to work on this.

We don't want to leak it so it doesn't seem like a good idea to put it in a parameter when developing locally. Correct?

Maybe we can ask for it in a popup and then write it to a file which is in .gitignore and not uploaded to the cloud.

I general to test if the right things are hidden you can set the AccessPolicy to DenyAll.

Throughts or ideas?

[AteZenmo]

@Erikvv Sorry, i dont fully understand you. Just one role? So default people should not be allowed in companies, only when they have that role that should be allowed to access all? Is that what you mean?

And if so: What am i getting in the model exactly? Easiest way to circumvent it would be to get Something (String FULL?) from you if they have access, and null or String PUBLIC_ONLY from you if they dont. Then in anylogic local, i can just default it at full access.

[Erikvv]

@AteZenmo I've worked out the details, can you share your input on the proposal? Most of the work is in Zero_Interface, maybe more than I thought initially.

[AteZenmo]

@Erikvv The model already has all options handled. from the startup code settings. So I would (currently) not do antyhing else to the interface_loader yet in my opinion.

So, just this:
import static energy.lux.access.LuxAccessKt.hasRole;

if (hasRole("zwijndrecht_view_company_details", idToken)) {
p_userGCAccessType = OL_UserGCAccessType.FULL;
}
else{
p_userGCAccessType = OL_UserGCAccessType.PUBLIC_ONLY;
}

is enough I think to already make it fully functional with the current setup.

-> Your other suggestions are nice though, as they give warning when some clicks on something that is not allowed, while in the current model PUBLIC_ONLY simply not lets you click on something. A warning, and not going trough with it could be a better UX.

But regarding required time and available time, for now I would just stick with the current fully functional setup the model has. And simply an input is needed that tells if a user has FULL privelage or not.

[AteZenmo]

Regarding drechtsteden code, i do agree this should be added to the project_selection.xlsx:
In Project_selection.xlsx add a new column view_company_details_role filled with the roles above.

[Erikvv]

But regarding required time and available time, for now I would just stick with the current fully functional setup the model has. And simply an input is needed that tells if a user has FULL privelage or not.

I was not aware to the extend this was already implemented. I will make a release of lux-access so you can integrate that.

in the current model PUBLIC_ONLY simply not lets you click on something

You mean just the GIS map right? If the user can't click on anything they can only view the live simulation which is not so useful.

[AteZenmo]

Yes, you are correct, they cannot click on the gismap on buildings with survey data or gridnodes that have too little GC attached (10 I believe). Also fitlering is disabled/limited. They can click on everything else on the map or the interface.

And perfect!

[Erikvv]

Release of lux-access: https://github.com/Zenmo/lux-access/releases/tag/0.2

The client and roles have been added to Keycloak

Kofi should be able to make the token ID page on lux.energy next week

cc @naudloomans