Customizing Cuba Security module


I have a requirement where in all the operations related to Security module such as Role creation, Permission assignments, User creation etc. has to be authorized by another user in the system.

For instance, let say we create two super administrators in the system named as AdminInputter and AdminAuthorizer. So whenever AdminInputter performs a security operation such as they create a User or Modify a Permission for a role, it shouldn’t take affect immediately. Rather, when the AdminAuthorizer logs in he gets all such changes done by AdminInputter in a queue and then Authorizer Approves or Rejects those changes. Based on the action taken by AdminAuthorizer, if it’s approve it should overrite the current values for the changes like Modifying a permission if gets approved new permission will take afffect for the role. If it gets rejected, old values for the permission remains in effect.

Can you please point in the right direction around this use case and how to implement the same using standard security module provided out of the box from Cuba platform. Or does it have to be implemented from scratch, if this is the case please guide the best practices for the above implementation on Cuba platform.

1 Like

Hi Shoaib,

I think CUBA security can be too low level and fine-grained for this task.
Even if you manage to extend security entities to support the required “approval status” attributes, I’m afraid it will be too inconvenient for your administrators to work in terms of existing security elements.

I would recommend building a higher level “application security” system. So your AdminInputter and AdminAuthorizer will work with special security entities, and you can organize the workflow with approval queues as required. After the changes are approved, they should be translated to CUBA security by creating appropriate Users, Permissions, etc.
In addition to the application-level admins, there should be a RootAdmin in the system, which will have full control over CUBA security and grant initial low-level permissions to application admins.