The Claim Set Editor is a feature for administrating claim sets, which enable fine-grained control over permissions in an Ed-Fi ODS / API. The ODS / API documentation, particularly the section API Claim Sets & Resources, contains detailed information about this powerful security feature. Using the Claim Set Editor, you can add, edit, import, export, copy, and delete claim sets (though the default claim sets can be copied but cannot be edited or deleted).

Claim Set Editor Usage

The key features of the Claim Set Editor include:

Claim Set List

From the Admin App home, you get to the Claim Set Editor by clicking on Global and viewing the Claim Sets tab.

The Claim Sets tab shows a list of existing claim sets on the ODS / API:

From the Claim Sets tab, you can add, import, and export claim sets.

Add & Edit Claim Sets

To add a claim set, click Add Claim Set from the Claim Sets tab. The Add Claim Set dialog will open:

Enter a name for your claim set and press Save.

Saving the claim set will lead prompt you to select resources to add to your new claim set:

Adding resources allows you set read, create, update, and delete permissions on the resource: 

        

Adding Child Resources

Many resource types in the Ed-Fi ODS / API contain other resources. You can select child resources to add to your claim set.

Child resources can have read, create, update, and delete permissions set: 

           

By clicking on the checkmark , you save the changes you've applied. After you save changes, you'll see the edit icon and information icon.

         

Override Authorization Strategy

After saving changes to a resource, you'll see an info icon. Clicking the info icon will pop up the Override Authorization Strategy page. Using this page, you can set an override for the authorization strategy.

         

Editing the authorization strategy for actions is easy. Simply click the edit icon and change the values for each operation:

After you click the checkmark icon, your changes are saved. Note that changes from the default are highlighted:

       

Here's an example display of a strategy overridden by a parent resource, in this case, Education Organization, which is the parent of the School resource:

Import & Export Claim Sets

The Admin App allows you to import and export claim sets. The claim set file is a JSON format (an example is shown below).

Import / Export Claim Set Page

Click Import/Export Claim Set on the Claim Set list page to view the claim set import and export controls:

 

Export a Claim Set

To export a claim set, provide a name for your export file and select the specific claim you'd like to export:

      

Clicking Preview will provide a view of your claim set details formatted for JSON:

         

You can export your claim set by clicking Download.         

Import a Claim Set

To import a claim set, simply choose the claim set JSON file for importing:

          

You will see the imported claim set upon successful import:

Copy Claim Set

It's often easier to copy a claim set that approximates a new set of permissions as a starting point then to build a new claim set from the ground up. The Copy Claim Set feature allows you to do that.

To copy a claim set, simply press the Copy icon in the claim set list view. You'll be prompted to provide a name:

When complete, you'll see the claim set you copied in the list view:

Security Metadata Cache Information

Claim set changes will take effect on the ODS / API only after the security metadata cache is refreshed. Details about working with the security metadata cache follow.

Automatic Security Metadata Cache Refresh

The ODS / API and Admin App applications are configured to perform an automatic refresh every 10 minutes by default.

Initiating a Manual Refresh of the Security Metadata Cache

If you want claim set changes to be effective immediately, then you'll need to do a manual restart of ODS / API on IIS Manager. This will, of course, interrupt service while the platform restarts. 

Steps for restarting the ODS / API:

  1. Open IIS Manager (inetmgr).
  2. In the Connections pane on the left, expand Sites and locate the Ed-Fi website.
  3. Right-click the website and select Manage Website > Restart.
  4. Close IIS Manager.

Changing the Cache Refresh Interval

You can modify the cache refresh interval. To modify the interval, you'll need to update the both the ODS / API and Admin App Web.config files manually.

The cache refresh interval value on the ODS / API and Admin App must match in order for the refresh message to be accurate.

Steps for modifying the cache refresh interval:

  1. Open IIS Manager (inetmgr)
  2. In the Connections pane on the left, expand Sites and locate the web applications Admin App and EdFiWebApi.
  3. Right-click on the web application, click Explore. This will take you to the web application content folder. 
  4. Look for the Web.config file and open it.
  5. Update the SecurityMetadataCacheTimeoutMinutes app setting value to required interval value in minutes and save it.

As noted, the steps must be performed on both the Admin App and EdFiWebApi applications such that the interval matches.

Contents

  • No labels