11) Verification of Permissions for Security Documents
Security Document Permission Verification Based on SCI Server User ID
API
| Method | URL |
|---|---|
| POST | /api/internal/authCheck |
Request Header
| Name | Required | Description |
|---|---|---|
| Authorization | required | User authentication method, JWT value Authorization: Bearer {JWT}Note: The JWT value is issued through the authentication/authorization service. |
Request Body
| Name | Required | Type | Description |
|---|---|---|---|
| srcFilePath | required | string | Encryption Document Path |
| companyId | required | string | Company ID (used for querying key data by company) during permission verification |
| userId | required | string | Target User ID for Permission Check |
Response
| Name | Type | Description |
|---|---|---|
| code | int | Success status (0:Success) |
| userId | string | Target User ID |
| read | int | Read Permission (1: Permission Granted / 0: Permission Denied) |
| edit | int | Write Permission (1: Permission Granted / 0: No Permission) |
| decrypt | int | Decryption Permission (1: Permission Granted / 0: No Permission) |
Examples
Request Body
- Body
{
"srcFilePath": "E:\\test\\orgin\\test.xlsx",
"companyId": "7FDKQsEK-QVGKyXA2-fx1LxIzy-SNIre0s9",
"userId" : "huiju.lee"
}
Response
- success
Status code : 200 OK
{
"code": 0,
"userId": "huiju.lee",
"read": 1,
"edit": 0,
"decrypt": 0
}
- failure
Status code : 400 Bad Request
{
"code": 40101,
"message": "Invalid token",
"detail": "invalid_token"
}
Security Document Permission Assessment Rules
Return SCI server permissions linked to Key Vault based on user ID and security document header information.
[DAC]: Determining access subject information permissions for security document attributes
(1) Obtaining group pass information with user ID from KeyVault
(2) Collecting the DAC_TYPE_ID list of DAC objects from the header information (User list with DAC_TYPE 0, Department list with DAC_TYPE 1)
(3) If there is a matching ID in the user list, return DAC_READ, DAC_EDIT, DAC_DECRYPT permissions.
(4) If there is a matching ID starting from the first group ID of the group pass obtained in (1), return the permissions DAC_READ, DAC_EDIT, DAC_DECRYPT.
(5) If there is no matching DAC_TYPE_ID in steps 3 to 4, return no permissions for DAC_READ, DAC_EDIT, DAC_DECRYPT.
[MAC] : Determining the category of the SCI server based on online permissions
(1) Obtain classification ID using user ID from KeyVault (2) Obtain MAC_CATEGORY of the MAC object from header information (3) Use the information obtained from steps 2 and 1 (MAC_CATEGORY - user classification ID) to acquire the online permissions (onlinegradeauth) for that category from KeyVault (4) Return the first 3 characters of the online permission string obtained in step 3 (read, edit, release)
[GRADE] : Determined by online permissions of the SCI server
(1) Obtaining classification ID with user ID from KeyVault
(2) Acquire the DAC_TYPE list of the DAC object from the header information.
(3) Acquire DAC_TYPE_ID and DAC_GRADE_ACCESS_CLASS_ID where DAC_TYPE is 2.
(4) Obtain onlinegradeauth from Key Vault using DAC_TYPE_ID(keyid)
(5) Check if the classification ID obtained from 1 is included in DAC_GRADE_ACCESS_CLASS_ID.
(6) If included, return the first 3 characters of the online permission string (read, edit, revoke)