Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Complex Righty System: ACL, RBAC and more what?

We are currently developing a project management software. And we are having trouble deciding on the correct approach to implement security. We have looked at both ACL and RBAC and are already pretty certain that we need at least a combination of both for specific reasons. But there are a couple of problems that do not have a nice solution in either world. Let me explain:

Let's say you have the following entities:

  1. Users, with different roles, i.e.
    • Project Lead
    • Worker
    • Admin
  2. Projects
  3. Assigned Users
  4. Tasks in Project

Now the following rule should be expressed: A User with the Role Worker is only allowed to view Tasks, which are related to a project he is assigned to.

This results in that a User is only allowed to view some Tasks in the whole list.

We would use RBAC to give Roles the permission to actually read Tasks. But the condition is not applied as there are specific entities involved. ACL could be used, but we fear the nightmare of keeping the ACL entries consitent with the requirements (Users can change, Roles can change, new Tasks can be introduced an would have to get the correct entries, which is just as complex).

Of course there could be specific queries when viewing a specific project (WHERE project_id = 123), but this does not help for a "View of all my current Tasks", where basically every task can be considered for display, but the ACL would have to be checked for every single entriy.

And how do I ensure things like "Get the first 25 Tasks the current User is allowed to see" without loading all the tasks from the DB and then filtering based on the ACL, i.e. handling pagination.

like image 727
pdobrigkeit Avatar asked Nov 27 '12 09:11

pdobrigkeit


People also ask

What are the three primary rules for RBAC?

3 Primary Rules for RBAC:Role assignment: A user can exercise a permission only if the subject has been assigned a role. Role-based authorization: A user's active role must be authorized. With rule 1 above, this rule ensures that users can take on only roles for which they are authorized.

What are the three types of access control?

Three main types of access control systems are: Discretionary Access Control (DAC), Role Based Access Control (RBAC), and Mandatory Access Control (MAC).

What is ACL and RBAC types of?

For most business applications, RBAC is superior to ACL in terms of security and administrative overhead. ACL is better suited for implementing security at the individual user level and for low-level data, while RBAC better serves a company-wide security system with an overseeing administrator.


1 Answers

You need to look beyond ACL and RBAC and consider attribute-based access control (ABAC - see NIST's guide here). Gartner calls this space "externalized authorization management".

With ABAC, you can easily express any rules that take into account not just who the user is but also what the user wants to do, where, when, why, and how. Using attributes to define authorization, you can use XACML to implement policies. XACML is an OASIS standard (just like SAML).

With XACML, you get an API where you can ask questions e.g.: can Alice view this record? But in your case, it's not enough because you want to filter out records from the database. And, as you describe, you want the query to be the right from the start rather than going back and forth to the database until you have the right number of authorized records. This is where XACML becomes particularly interesting because it's technology-neutral. You can apply XACML to Java, C#, and other languages e.g. Python but also apply XACML to different layers (presentation, APIs, and... databases). XACML can be queried in a reverse query way to produce a SQL statement which you could then use to query your backend database for the relevant records:

  • Which records can Alice view?
  • Alice can view records in California which yields "SELECT * FROM records WHERE location='CA'"

HTH

like image 63
David Brossard Avatar answered Oct 06 '22 06:10

David Brossard