Advanced Access Control Libraries [closed]

Question

I am interested in performing advanced access control for users to access resources within software systems. I work in healthcare IT and a younger me has frequently underestimated the complexity of role-based access control in healthcare. But this question should apply to anyone with complex ACL requirements.

For quite some time php gacl has been my go-to library for the purposes of handling the very complex ACL control issues inside Health IT systems. But I am now working more with javascript in general and node specifically. I have searched npm for libraries to do Access Control in a generalizable way.

I would like to have support for defining actions rather than merely users and resources (3-tier instead of 2) and I would like to have user, action and resource groups, and by implication I would like to have ACL inheritance.

The classic examples from the Star Wars themed manual to that library are rules like:

• All members of the crew have (visit, configure, and use) access to the guns, engines, cockpit and lounge, expect for chewie.
• All droids have (visit and use) access to the cockpit, but only R2D2 has configure access to the engines.
• Han has all types of access to all types of resources.

The basic concepts here include the notion that you can make rules that apply to either groups of users(i.e. crew, passengers or droids) or individuals (Han, and Chewie), that you can have different types of access (visit, configure, use) or groups of access (maintence access = configure + repair + use) to different resources (engine and cockpit) which could also be grouped, (battle-stations = cockpit + guns).

This allows for the configuration of extraordinarily complex access control rules, with relatively simple group-based administration.

So far, I have seen nothing like this outside of php-gacl. I have taken a look at the wonderful javascript based ACL projects and all of them advertise simplicity and ease of use rather than comprehensiveness. This is also true of other typical php ACL libraries (i.e. Zend ACL)

Is someone working on an "advanced ACL" project for node? Is there perhaps a much better approach that I should be looking for somewhere?

php-gacl comes with three parts, one is a php-based admin GUI (that is admittedly over-complex), and an API for CRUD on the rules (that could be easily converted to a REST interface I think) and a very small file that provides ACL checking functionality.

Technically, only the last type would need to be fully ported over to node in order for that software model to work?

On a deeper level, I want to understand what approaches have been used successfully to handle this problem. How is this problem typically solved? Bonus points for those who effectively discuss this problem in terms of node/javascript and perhaps even a particular database approach (relational vs non-relational). I understand that there are lots of theoretical underpinnings for doing this right/wrong (i.e. lots of opinion over RBAC, vs ACL). What I want is something theoretically solid, or almost-solid that still "just works" from a library standpoint. I am focused on Javascript, but it would be nice to understand how other languages are practically solving this problem.

Answer 1

If you can avoid using any kind of ACL, you are usually better off. They are complex to administer. You would be better off modeling three levels of security checks:

1. URL/IP Address/or other accesspoint security check
2. Method upon resources check. Whatever entities you want to modify or manipulate you put permission checks on that. I.E. Business rules type of access.
3. Entity Resource check. If a user/API/OAuth token has access AT ALL to an entity

This can be accomplished using an RBAC. The roles for your organization/site each are assigned a set of access/modification/manipulation permissions. Users are assigned a role(s), but the three levels of checks check the PERMISSIONS, not the role.

I would look at Spring Security and RBAC as a google search, and model on that. Here are a few links that I have found useful:

http://www.xaprb.com/blog/2006/08/16/how-to-build-role-based-access-control-in-sql/

http://www.xaprb.com/blog/2006/08/18/role-based-access-control-in-sql-part-2/

(because all the 'primitive' examples and crazily named checks in Spring Security, you will be advised to read articles that offer the use of alternative names and uses for the Spring permission 'hasRole()' checks. The following article discusses this in the design of an RBAC)

http://springinpractice.com/2010/10/27/quick-tip-spring-security-role-based-authorization-and-permissions/

(A good presentation on flexible uses of Spring Security, including RBAC)

http://www.infoq.com/presentations/Spring-Security-3

(The following gives a GOOD description of the RBAC problem and solutions, and is designed for PHP)

http://www.tonymarston.net/php-mysql/role-based-access-control.html

A PHP framework with a RBAC implementation:

http://trac.symfony-project.org/wiki/UserRbac

And finally, the class diagram for Spring Security. You will notice that it allows putting security information in a PARALLEL table to the entities being protected. This is by design, so that Spring Security can be added later, or taken out, or replaced easily. But it also means more tables.

http://code.google.com/p/uclm-esi-alarcos/source/browse/trunk/documentation/memoria-pfc/Figuras/Cap5/spring-security-class-diagram.png?r=295