Menu
What is the best database schema to track role-based access controls for a web application?
I am using Rails, but the RBAC plugin linked by Google looks unmaintained (only 300 commits to SVN; latest was almost a year ago).
The concept is simple enough to implement from scratch, yet complex and important enough that it's worth getting right.
So how do others architect and implement their RBAC model?
534
Essentially, ABAC has a much greater number of possible control variables than RBAC. ABAC is implemented to reduce risks due to unauthorized access, as it can control security and access on a more fine-grained basis.
Role-based access control (RBAC) is a method of restricting network access based on the roles of individual users within an enterprise. RBAC ensures employees access only information they need to do their jobs and prevents them from accessing information that doesn't pertain to them.
3 Primary Rules for RBAC:Role assignment: A user can exercise a permission only if the subject has been assigned a role. Role-based authorization: A user's active role must be authorized. With rule 1 above, this rule ensures that users can take on only roles for which they are authorized.
To my rather basic knowledge in that area, the basic actors of an RBAC are:
Resources <- require -> (one or many) Permissions.
Roles <- are collections of -> (one or many) Permissions.
Users <- can have -> (one or many) Roles.
The tables for such a model would be:
Now you might want to include resources here as well if you want users of your application to be able to configure which permissions a resource need. But I never needed that. Hope that helps.
133
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
