Menu
I have a SaaS service where multiple users can collaborate with each other. Till now users under the same subscription account could share the same database and view/edit/delete everything from each other.
Now I'd like to implement a permission system so users may be able to do only specific actions like viewing, editing, updating and deleting contents (on my SaaS system the content is primarily a list of client cards).
My first guess was to use the RBAC technique, defining roles and a bitmask of different operations, e.g.
Those permissions are not tied to the single card instance rather than being generic actions users can perform. The first one (viewing) seems required in any case, as it would be impossible to use the system without being able to see any card.
Unfortunately I think I would also need some kind of per-card permissions. For example, an admin user may want to let a given user to view only a subset of the cards, not all of them. Or an admin user may allow a group of users to collaborate on a specific card (or specific cards), effectively partitioning the card list across the users. In any case, I never encountered a scenario where non-admin users can set such permissions for themselves or other users.
Is RBAC espressive enough to encode such requirement? Or do I need to switch to ABAC?
935
The main difference between RBAC vs. ABAC is the way each method grants access. RBAC techniques allow you to grant access by roles. ABAC techniques let you determine access by user characteristics, object characteristics, action types, and more.
The ABAC model's time-based rules prevent access to sensitive data at times it's not needed, thus preventing exfiltration and data breaches. Companies with a simple structure: When your organization's workgroups have a simple structure with few roles, RBAC is a better choice.
Although ABAC is not necessarily a superset of RBAC—the two models can function independently—uniting attribute- and role-based access control helps DevOps teams achieve greater speed and flexibility, especially as environments become increasingly ephemeral.
Why is role-based management better than per-user access controls? A: Because users sometimes change job function. B: Because there are too many users to manage individually. Because role-based management reduces errors.
The rule of thumb is the following:
Let me explain. With RBAC, you can do things like define roles, role hierarchies, and permissions. You can also do some level of static segregation of duty. For instance a user can be given the role manager and the role senior manager. That, as a whole, gives them the right to view client records. So far so good.
But... if you need to say things like:
Then you need more than just RBAC. You will need abac like you pointed out. ABAC does not fully replace RBAC. You still need users, user metadata (such as roles) and assignments from roles to permissions. Those assignments, though, rather than happening through a role management tool, will happen in the policies.
In alfa, this is what a policy would look like:
policy clientAccess{
target
clause action.name == "view"
object.Type == "client record"
apply firstApplicable
rule managersCanViewAll{
target clause user.role == "manager"
permit
}
rule employeeCanViewSameState{
target clause user.role == "employee"
permit
condition user.state == client.state
}
}
This statement condition user.state == client.state is ABAC's secret sauce.
Of course there are other benefits to ABAC such as:
Check out these resources for more information:
87
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
