Skip to main content

MCE Dissemination Controls Configuration

Dissemination Controls Overview

Purpose

The purpose of Dissemination Controls is to allow an MCE administrator to specify certain Attributes as being both publicly known (Well Known) and used to control access to Groups. Examples of the kind of Attributes that may be considered suitable for Dissemination Controls might be ones which describe membership in an organization, or a personnel type. Like other forms of access control in MCE, Dissemination Controls are set for the lifetime of the Group and cannot be changed once the group is created. This is an intentional design decision to provide guarantees about which users have access to information.

A key property of Dissemination Controls is that when there are multiple Attributes selected within a particular Control, a user is allowed access if they have any of those attributes. This means that within a particular Dissemination Control, selecting more attributes will widen the scope of access to that group. An example of this is provided in the Create a New Group section.

Key definitions for terms are included in the Definitions section at the bottom of this page.

Context

The following diagram shows a high-level overview of how the elements of the Dissemination Controls feature interact.

Dissemination Controls Context

  • Attributes are provided to the system as normal, using an Attribute Provider.
  • Administrators manage Attribute Type Behaviors, they can create or edit them using the PowerShell commands.
  • Attribute Type Behaviors create new Dissemination Controls
  • Group Owners create groups using Dissemination Controls, defining the room access rules.
  • The ABAC system uses the Dissemination Controls to determine room access.

Configuration

Enable Dissemination Controls

The Dissemination Controls feature is enabled via the Management Tool in the Feature -> MCE section. The only option available is to enable or disable the feature. Configuration of Dissemination Controls themselves is done via the PowerShell interface.

Dissemination Controls Configuration

Configure an Attribute Type Behavior

Note: Attribute Type Behaviors are a more general approach to assigning behavior to Attributes. They are currently only used for Dissemination Controls, but in the future may be used for other kinds of behavior.

There are three PowerShell commands that are used to manage Attribute Type Behaviors:

  • New-MceAttributeTypeBehavior - Used to create new Attribute Type Behaviors, has three requiered parameters, DisplayName, AttributeIssuer, AttributeName.
  • Get-MceAttributeTypeBehavior - Used to view existing Attribute Type Behaviors and retrieve their runtime identifiers. Unless specifying an Id, all existing Attribute type behaviors will be returned.
  • Set-MceAttributeTypeBehavior - Used to modify existing Attribute Type Behaviors when given a runtime identifier

The following will register all Attribute Values in the AI:organization Attribute Type as members of a new set of Dissemination Controls called “Duty Organisation”.

New-MceAttributeTypeBehavior -DisplayName "Duty Organisations" -AttributeIssuer "AI" -AttributeName "organizations"

There is also functionality which allows you to filter which Attribute Values to include. This is defined as a regular expression. For example the following will only include Attribute Values that start with org_ in the Duty Organisation set of Dissemination Controls. In addition to this it is also possible to set the IsEnabled property at the creation stage. Unless you want to create a disabled Attribute Type Behavior, IsEnabled will be defaulted to $true.

New-MceAttributeTypeBehavior -DisplayName "Duty Organisations" -AttributeIssuer "AI" -AttributeName "organizations" -Filter "^org_" -IsEnabled $false

If you want to modify an existing Attribute Type Behavior you can use the Set command.

  • You can use that same filtering behavior.
  • To reset the filter value back to the default, to include all attributes, set the value to ".".
  • If you no longer want a particular set of Dissemination Controls you can disable their underlying Attribute Type Behavior. This will result in those attributes no longer being Well Known, and they will no longer appear under the Dissemination Controls UI.
  • Same command can be used for disabling and re-enabling an attribute type behavior by setting the IsEnabled property to $true or $false.
Set-MceAttributeTypeBehavior -Id "{guid-id}" -Filter "^org_"
Set-MceAttributeTypeBehavior -Id "{guid-id}" -IsEnabled $false

The Set-MceAttributeTypeBehavior command supports piping, you can use it in combination with the Get-MceAttributeTypeBehavior command to update multiple attribute type behaviors at the same time.

Get-MceAttributeTypeBehavior | Set-MceAttributeTypeBehavior -IsEnabled $false

Create a new Group

You can now create new groups with Dissemination Controls, although it is not mandatory. You can still create new groups without selecting any dissemination controls.

By selecting multiple attribute sets on group creation, only users who have at least one attribute expression from each selected Dissemination Control will be allowed to join the group.

In the following example two different sets of Dissemination Controls have been configured – one for Duty Organisation and another for Personnel Type. The MilOrgA and CivOrgB attributes within Duty Organisations have been selected, as have the Admin and Military attributes within Personnel Type. In addition, the coi1 Community of Interest is also selected.

Dissemination Controls Group Creation

The result of this is that for a user to be allowed access to this room they must meet all the following criteria:

  • Read into coi1
  • Have either the MilOrgC or CivOrgB attribute and have either the Admin or Military attribute.

Same access rules will apply to all Open, Closed or Secret groups. For closed and secret groups, a user will have access to a room only if he has the appropriate dissemination attributes and if he is added as member in the members list.

info

Once you create a Group using Dissemination Controls the selected Dissemination Attributes are permanently stored against the Group. If those attributes are later removed from a Dissemination Attribute Type Behavior then they will not be removed from the Group's access control. This is the case whether you disable the feature, disable the Attribute Type Behavior or apply a Filter that excludes certain attributes.

Once set, a Group's Dissemination Controls cannot be altered.

After setting Dissemination Controls on a group during its creation you can view the attributes that have been selected when editing the group. You cannot, however, modify those controls.

You can disable the feature using the same setting under the Management Center -> Feature -> MCE section. A user won't see the dissemination controls section in the group management window and won't be able to use them. Although, as mentioned above, once set, a Group's Dissemination Controls cannot be altered.

Definitions

Well Known

A property of an Attribute. An attribute that is Well Known should be visible to all users of a system. Such an attribute describes something that is not secret, common knowledge, and which is generally assumed to be known by all users of a system. It is an attribute that all users of the system are allowed to see, even if they don't have the attribute themselves.

An example would be an attribute that describes the nationality of a user, which organisation a user belongs to or a user's personnel type.

Attribute Type

An Attribute Type describes all attributes that exist within a particular issuer and attribute name pair. For example, attributes that have the issuer AI and Attribute Name organisations are within the AI:organisations Attribute Type.

Attribute Type Behavior

An Attribute Type Behavior describes a behavior that applies to an Attribute Type (or subset of attributes within that type). In order to define the subsets of attribute values within the type, a filtering mechanism is used. In this case we filter using a regex expression applied to the value of an attribute.

For example, an Attribute Type Behavior could specify that attributes within the AI:organisations Attribute Type should all have the Dissemination Behavior. This means that they are all considered to be Dissemination Attributes, as well as all being Well Known.

Dissemination Attribute

These are attributes that are used to define how far information is allowed to disseminate. They typically relate to properties of a user rather than the information. When dissemination attributes of a particular type are combined, they increase the scope of access. For example, they may describe a particular organisation or nationality.

Once defined via Attribute Type Behaviors, Dissemination Attributes are visible as part of the Dissemination Controls feature.

Dissemination Control

A group of Dissemination Attributes within a particular Attribute Type. These are shown together under a common header (which is the name of the Attribute Type Behavior that configured them as Dissemination Attributes) when creating or editing a group.