Classified documents

In this tutorial we are going to use the Access Policy module to implement a simplified version of Mandatory Access Control. This will allow us to designate different nodes as confidential, secret and top secret. Only users with the right security clearance will be able to access that content. For example, if someone has access to Top secret then they can see Top secret, Secret and Confidential. However, if someone has Secret, they can only see Secret and Confidential.

Step One: Add the Employee role.

1. Go to /admin/people/roles
2. Create a new Role called “Employee”
3. Give them the following permissions 
   • View published content
   • Access the Content overview page 
   • Use the toolbar 

Step Two: Add the Security fields

1. Add a new List (Integer) field to the Basic page
2. Give it the label “Security level” 
3. Add these to the Allowed values list
   • 1|Confidential
   • 2|Secret
   • 3|Top secret 
4. Go to /admin/config/people/accounts/fields 
5. Add a new List (Integer) field to the user
6. Give it the label “Security clearance” 
7. Add the same values to the Allowed values list
8. Save the field.

We’ve set up our fields, now let’s get them talking to each other! 

Step Three: Add the Classified access policy

1. If you haven’t already, download and install the Access policy module.
2. Enable the access_policy_ui sub module.
3. Go to /admin/people/access-policies
4. Add a new Access policy called “Classified” 
5. Click Edit permissions next to the Employee role
6. Grant them the following permissions:
   • Classified: View any content assigned this access policy
   • Without this permission Employees can’t see that content at all. 
7. Click Save permissions.
8. Click Add access rule 
9. Search for and select “Compare Security level with user (numeric)”
   • This access rule allows us to use numeric operators to compare values. 
10. For the operator choose “Is less than or equal to” 
    • This will ensure that only users whose Security clearance is greater than or equal to the node’s will be able to access it.
11. Leave all other options as they are and click save.
12. Go to Manage selection 
13. Click Add selection rule
14. Search for and add "Security level"
15. Under operator choose "Is not empty"
16. Save the selection rule
    • We add a selection rule in order to do two things: Limit this access policy to only nodes that have the Subscription field, and tell it to assign this policy when the field has a value.

Step Four: Create some classified content

Now with the Classified access policy in place, you can designate content as Confidential, Secret or Top Secret. Only users with the right security clearance will be able to view that content.

1. Create a new Basic page
2. Note on the right column that Access is currently set to Unrestricted. Let’s change that.
3. From the Security field, change it to “Secret” and save the node
4. Edit the node again
5. Observe that Access has changed to “Classified”
6. Now let’s see it in action by logging in as an Employee. 

Step Five: View the content as an employee

1. Create a new employee with Security Clearance set to Confidential 
2. Log in as that employee 
3. Go to /admin/content
4. Observe that no content is available to that employee. Their security clearance is not high enough.
5. Let’s give them a promotion!
6. Change their Security clearance to "Top Secret" 
7. Go back to /admin/content
8. Observe that they can now see the content!

Step Six: Edit classified content

Let’s create a new role that can edit classified content but only content that is equal to or less than their security clearance.

1. Create a new role called “Content author”  with the following permissions  
   • View published content
   • View own unpublished content 
   • Access the Content overview page 
   • Use the toolbar 
   • View the administration theme
   • Basic page: Create new content
   • Basic page: Edit any content 
   • Basic page: Edit own content
2. Edit the Classified access policy again.
3. Click Edit permissions next to the Content author role
4. Grant them the following permissions:
   • Classified: Assign to any content 
   • Classified: Edit any content assigned this access policy 
   • Classified: View any content assigned this access policy
   • Classified: View any unpublished content assigned this access policy 
5. Click Save permissions
6. Edit the “Compare security level with user” access rule. 
7. Enable “Filter allowed values”
8. Save the access rule.
9. Create a new Content author with the Security clearance set to “Secret”
10. Log in as that content author
11. Create a new Basic page
12. Observe that only “Confidential” and “Secret” are available from the Security level field. This ensures that content authors can’t create content with a higher security level. Neat! 

And that’s it! You can now serve classified documents on your site!