What’s in this document?

The following diagram presents the Metadata Studio security model:

Metadata Studio Security

Access to Metadata Studio is granted through users with corresponding roles. Metadata Studio is bundled by default with Keycloak, which supports OpenID Connect, but it can also be integrated with any other service providing OAuth2 interface.

As explained in the Metadata Studio UI Client External interfaces section, the OAuth2 service must provide the described interfaces for authorizing, token access, and logout.

The OAuth2 service must be accessible through HTTP/HTTPS to the Metadata Studio UI Client. Metadata Studio assumes that users have already been set up and are available through the OAuth2 service.

Each Metadata Studio user must have a corresponding role assigned. The role defines what resources and actions are available for the user. The roles are described as part of the Metadata Studio schema. Currently, the application supports the following roles:

  • Default: grants all actions on all objects and their properties to a user with that role.
  • Curator: grants read access to all resources as well as ability to create annotations for existing documents.
  • Admin: grants all actions on all objects and their properties to a user with that role.
  • SchemaRBACAdmin: allows the user to modify the SOML schema.

New roles can be added and modified by a user with role SchemaRBACAdmin. For more information on the syntax of the RBAC schema, see the official Ontotext Platform Semantic Objects documentation.

GraphDB Security

Metadata Studio supports communication with a GraphDB server that is secured with a username and password. The GraphDB user must have ROLE_REPO_MANAGER rights, which allow read and write access to the data. For more information, see the GraphDB access control documentation.