Tools can be assigned to any set of authorization groups, which makes them accessible to any user that is a member of that group.
This assignment is defined on the machine where this tool is "integrated" (ie, where it is defined to be actually run; see the "Tool Integration" section in the RCE User Guide for details).
There is no central authority for group membership. This is an intentional design decision to keep the authorization system flexible and lightweight.
This decentralized approach has, among other things, the benefit of removing administrative overhead when setting up groups between different organizations, for example in the typical use case of a research project with partners from different organizations.
Each group membership is defined by access to a secret 256 bit key. From a user's perspective, this key works like a password required to access a specific group. These group keys are imported into RCE instances as text strings, after which they are available on this instance until they are removed.
The text snippets used to give users access to a certain group should be transported in a secure way, for example via an intranet page with access control.
Users can create any number of authorization groups using their RCE clients.
Due to the decentralized nature of the authorization groups, there is no global password change mechanism, or a central way of revoking group memberships. If this is a concern, periodic group rotation should be used. This can be realized, for example, by using an intranet page with organization-specific access control where the current group access codes are posted.
The group keys that were created or imported into an RCE instance are
stored in an encrypted form using the Secure Storage implementation
of the Eclipse platform (
https://www.eclipse.org/
). Each user's secure RCE data is encrypted with a random 256 bit
master key that is stored in the user's home directory. This way,
even if a user accidentally shares his/her whole RCE profile
directory to a public location, nobody else can gain access to the
stored group keys.
RCE provides console commands for listing all active authorization groups and their assignments, which can be used for automated auditing.