Skip to main content

MCE Dissemination Controls Configuration

Dissemination Controls Overview

Purpose

The purpose of Dissemination Controls is to allow an MCE administrator to specify certain Attributes as being both publicly known (Well Known) and used to control access to Groups. Examples of the kind of Attributes that may be considered suitable for Dissemination Controls might be ones which describe membership in an organization, or a personnel type. Like other forms of access control in MCE, Dissemination Controls are set for the lifetime of the Group and cannot be changed once the group is created. This is an intentional design decision to provide guarantees about which users have access to information.

A key property of Dissemination Controls is that when there are multiple Attributes selected within a particular Control, a user is allowed access if they have any of those attributes. This means that within a particular Dissemination Control, selecting more attributes will widen the scope of access to that group. An example of this is provided in the Create a New Group section.

Dissemination attributes are an additional access control afforded to group admins, but do not automatically confer membership on users who have a selected Dissemination Attribute, and do not act as de facto membership. Users will still need to be read into appropriate Communities of Interest and have a sufficient clearance level. If the group is secret or closed, users will also need to possess membership attributes.

If group admins need to create a closed or secret group which would be permanently constrained by certain organisation attributes, ensuring that only users of said organisations can access the messages within the group. Only adding attributes as members does not satisfy the need to use access control, since membership can be changed after a room has been created. Dissemination attributes constrain access to data based on attributes of the user, and have this constraint be an immutable part of a room. This means that information shared within that room will never be viewed by users who do not meet the access requirements that were specified on group creation. Since they are separate you can both add a Dissemination Attribute for a particular organisation, as well as specifying the organisation as a member to automatically add all members of that organisation into the group while also guaranteeing that no-one outside that organisation (i.e.: without the appropriate attribute) can access the room.

Key definitions for terms are included in the Definitions section at the bottom of this page.

Context

The following diagram shows a high-level overview of how the elements of the Dissemination Controls feature interact.

Dissemination Controls Context

  • Attributes are provided to the system as normal, using an Attribute Provider.
  • Administrators manage Attribute Type Behaviors, they can create or edit them using the PowerShell commands.
  • Attribute Type Behaviors create new Dissemination Controls
  • Group Owners create groups using Dissemination Controls, defining the room access rules.
  • The ABAC system uses the Dissemination Controls to determine room access.

Configuration

Enable Dissemination Controls

The Dissemination Controls feature is enabled via the Management Tool in the Feature -> MCE section. The only option available is to enable or disable the feature. Configuration of Dissemination Controls themselves is done via the PowerShell interface.

Dissemination Controls Configuration

Configure an Attribute Type Behavior

Note: Attribute Type Behaviors are a more general approach to assigning behavior to Attributes. They are currently only used for Dissemination Controls, but in the future may be used for other kinds of behavior.

There are three PowerShell commands that are used to manage Attribute Type Behaviors:

  • New-MceAttributeTypeBehavior - Used to create new Attribute Type Behaviors, has three requiered parameters, DisplayName, AttributeIssuer, AttributeName.
  • Get-MceAttributeTypeBehavior - Used to view existing Attribute Type Behaviors and retrieve their runtime identifiers. Unless specifying an Id, all existing Attribute type behaviors will be returned.
  • Set-MceAttributeTypeBehavior - Used to modify existing Attribute Type Behaviors when given a runtime identifier

The following will register all Attribute Values in the AI:organization Attribute Type as members of a new set of Dissemination Controls called “Duty Organisation”.

New-MceAttributeTypeBehavior -DisplayName "Duty Organisations" -AttributeIssuer "AI" -AttributeName "organizations"

There is also functionality which allows you to filter which Attribute Values to include. This is defined as a regular expression. For example the following will only include Attribute Values that start with org_ in the Duty Organisation set of Dissemination Controls. In addition to this it is also possible to set the IsEnabled property at the creation stage. Unless you want to create a disabled Attribute Type Behavior, IsEnabled will be defaulted to $true.

New-MceAttributeTypeBehavior -DisplayName "Duty Organisations" -AttributeIssuer "AI" -AttributeName "organizations" -Filter "^org_" -IsEnabled $false

If you want to modify an existing Attribute Type Behavior you can use the Set command.

  • You can use that same filtering behavior.
  • To reset the filter value back to the default, to include all attributes, set the value to ".".
  • If you no longer want a particular set of Dissemination Controls you can disable their underlying Attribute Type Behavior. This will result in those attributes no longer being Well Known, and they will no longer appear under the Dissemination Controls UI.
  • Same command can be used for disabling and re-enabling an attribute type behavior by setting the IsEnabled property to $true or $false.
Set-MceAttributeTypeBehavior -Id "{guid-id}" -Filter "^org_"
Set-MceAttributeTypeBehavior -Id "{guid-id}" -IsEnabled $false

The Set-MceAttributeTypeBehavior command supports piping, you can use it in combination with the Get-MceAttributeTypeBehavior command to update multiple attribute type behaviors at the same time.

Get-MceAttributeTypeBehavior | Set-MceAttributeTypeBehavior -IsEnabled $false

Creating new groups

You can now create new groups with Dissemination Controls, although it is not mandatory. You can still create new groups without selecting any Dissemination Controls.

Note that a group's visibility will additionally be constrained by the selected Dissemination Controls. Meaning, that only users who meet the constraints set out on group creation will be able to see the group. This applies for Open, Closed and Secret groups.

info

Once you create a Group using Dissemination Controls the selected Dissemination Attributes are permanently stored against the Group. If those attributes are later removed from a Dissemination Attribute Type Behavior then they will not be removed from the Group's access control. This is the case whether you disable the feature, disable the Attribute Type Behavior or apply a Filter that excludes certain attributes.

Once set, a Group's Dissemination Controls cannot be altered, this is to ensure that all messages within the group can never be accessed by users who do not possess the required Dissemination Controls.

After setting Dissemination Controls on a group during its creation you can view the attributes that have been selected when editing the group. You cannot, however, modify those controls.

You can disable the feature using the same setting under the Management Center -> Feature -> MCE section. A user won't see the dissemination controls section in the group management window and won't be able to use them. Although, as mentioned above, once set, a Group's Dissemination Controls cannot be altered.

Open group

By selecting multiple attribute sets on group creation, only users who have at least one attribute expression from each selected Dissemination Control will be allowed to join the group.

In the following example two different sets of Dissemination Controls have been configured – one for Duty Organisation and another for Personnel Type. The MilOrgA and CivOrgB attributes within Duty Organisations have been selected, as have the Admin and Military attributes within Personnel Type. In addition, the coi1 Community of Interest is also selected.

Dissemination Controls Open Group Creation

The result of this is that for a user to be allowed access to this room they must meet all the following criteria:

  • Read into coi1
  • Have either the MilOrgC or CivOrgB attribute and have either the Admin or Military attribute.

Same access rules will apply to all Open, Closed or Secret groups. For closed and secret groups, a user will have access to a room only if he has the appropriate dissemination attributes and if he is added as member in the members list.

Closed group

Similar to the example above, the same Dissemination Controls have been configured and selected. However, there is now additional membership constraints that all users must meet in order to join the group.

Dissemination Controls Closed Group Creation

The result of this is that for a user to be allowed access to this room they must meet all the following criteria:

  • Read into coi1.
  • Have either the MilOrgC or CivOrgB attribute and have either the Admin or Military attribute.
  • Have the appropriate clearance level or above C//REL TO USA, GBR
  • Have the organisations:WXY11 attribute.
info

It is important to note that while these are the current constraints for group membership, the organisations:WXY11 is a mutable property due to it being defined in the members section, additional attributes can be added or removed to alter the membership of the group. However, the selected Dissemination Controls are immutable and will constrain membership for the lifetime of the group.

Definitions

Well Known

A property of an Attribute. An attribute that is Well Known should be visible to all users of a system. Such an attribute describes something that is not secret, common knowledge, and which is generally assumed to be known by all users of a system. It is an attribute that all users of the system are allowed to see, even if they don't have the attribute themselves.

An example would be an attribute that describes the nationality of a user, which organisation a user belongs to or a user's personnel type.

Attribute Type

An Attribute Type describes all attributes that exist within a particular issuer and attribute name pair. For example, attributes that have the issuer AI and Attribute Name organisations are within the AI:organisations Attribute Type.

Attribute Type Behavior

An Attribute Type Behavior describes a behavior that applies to an Attribute Type (or subset of attributes within that type). In order to define the subsets of attribute values within the type, a filtering mechanism is used. In this case we filter using a regex expression applied to the value of an attribute.

For example, an Attribute Type Behavior could specify that attributes within the AI:organisations Attribute Type should all have the Dissemination Behavior. This means that they are all considered to be Dissemination Attributes, as well as all being Well Known.

Dissemination Attribute

These are attributes that are used to define how far information is allowed to disseminate. They typically relate to properties of a user rather than the information. When dissemination attributes of a particular type are combined, they increase the scope of access. For example, they may describe a particular organisation or nationality.

Once defined via Attribute Type Behaviors, Dissemination Attributes are visible as part of the Dissemination Controls feature.

Dissemination Control

A group of Dissemination Attributes within a particular Attribute Type. These are shown together under a common header (which is the name of the Attribute Type Behavior that configured them as Dissemination Attributes) when creating or editing a group.

Display Names

The display names for dissemination attributes can be set by following the documentation provided in Attribute Display Names.