The ATLAS Access Manager Policy Browser: state-of-the-art web technologies for a rich and interactive data visualization experience

The ATLAS experiment is operated daily by many users and experts working concurrently on several aspects of the detector. The safe and optimal access to the various software and hardware resources of the experiment is guaranteed by a role-based access control system (RBAC) provided by the ATLAS Trigger and Data Acquisition (TDAQ) system. The roles are defined by an inheritance hierarchy. Depending on duties, every ATLAS user has a well-defined set of access privileges (rules) corresponding to a specific set of assigned roles. In total, there are several hundred roles and several thousand users. Over the years, the system grew up in terms of users and roles, motivating the deployment of a visualization tool named “Policy Browser”. Currently, it is the primary tool for role administrators to manage all the aspects of the Access Management via a rich web-based interface. This paper presents the requirements, design and implementation of the “Policy Browser”. The tool is able to aggregate and correlate all the information provided by the RBAC system and offers a visual representation of the interrelations occurring among roles, users, hosts and rules. Additionally, the “Policy Browser” implements a powerful and flexible query mechanism facilitating the browsing of all the authorizations granted by the system. As an example of the available visual representations, the “Policy Browser” is capable of dynamically generating graphs to quickly display the role giving a user some defined privileges. A graph explorer is also provided in order to browse the role&s inheritance hierarchy. The “Policy Browser” is implemented using robust JavaScript frameworks: AngularJS, Bootstrap, D3.js for the front-end, and Django a python framework for the back-end. The use cases and the results based on an informal evaluation provided by the roles administrators are also presented.