Build a Better Access Control System

Question

I'm in the process of a building an access control system as part of a web framework I am developing. I want to make it super flexible and awesome. Can you help me by providing input and insight on my design? Here is my work so far (my specific questions are at the bottom):

Users

• Users have a username (32 characters, no spaces) and password
• Users have one or more e-mail addresses that must be verified
• Users may login using either their username or any of their e-mail addresses
• Users may be associated to zero or many accounts

Accounts

• Accounts represent one or more users
• Each user may have specific permissions or roles for an account (e.g., account owner or "can add new user")
• All accounts are tied to an account type

Account Types

• Account types have zero or many account type roles
• Account types have zero or many account type features

Account Type Roles

• E.g., "Owner", "Administrator", "Power User", "Guest", etc.
• Account type roles are a collection of account type permissions

Account Type Permissions

• Account type permissions are specific actions in the system that application logic will verify against
• They may reference a parent, so they can be hierarchically grouped
• E.g.:
  • "User Management"
    • "Add User"
    • "Remove User"
• These permissions may be specifically for an account type feature

Account Type Features

• Account type features may be activated on an account to give it more permissions
• E.g., "Standard Account" or "Premium Account"
• These features, if activated on an account, will give the account owner greater access to the system
• They are tracked when they are activated or deactivated and can be billed against periodically or on demand

Questions

What is the best way to have application logic check against a user action? I was thinking of storing all of a user's permissions in an object for their session (which would require a logout/login to refresh permissions, which I am not a fan of - any ideas on real time permission management?):

{
  "All Permissions": {
    "User Management": {
        "Add User",
        "Delete User"
    },
    "Premium Account": {
        "Download Files",
        "Upload Files"
    },
  }
}

I would then declare permissions that are required for a specific action in the system. Maybe something like:

Permission::require('Add User');

If the declared permissions were not in the users permission object, the request would fail. This seems kind of intense for each user action though. Also, what if another subset of permissions has the string "Add User"?

Thanks in advance for any help with this!

Answer 1

Looking at your Account Type Permissions, it appears you have an Access Control List (ACL) style system design in mind.

If you want to make it super flexible and awesome, then I'd suggest this is not a good design. ACL system's work for simple permissions - and maybe that actually is ok in your scenario - but as soon as the rules for granting permission become even the slightest bit dynamic - that is, relying on any contextual data beyond the user's identity or roles - ACL's fall flat fast.

This video goes into some detail about the failings of ACL's and discusses alternate ways to implement access control that accounts for real-world situations.

Also, this has been done before (though there's surprisingly little out there for implementations we can look at); perhaps have a look at Rhino Security. Original link http://ayende.com/Blog/category/548.aspx is broken, so keeping internet archive link for reference.