Menu
I have a requirement for entity-level authorization that's frankly over my head. I'm hoping to get some guidance on this permission structure, how I might implement it in .NET 4.5, and if there are ways I could improve it.
Here it goes:
I have a set of data structured as follows:
Where
Fleet is a collection of zero or more Cars.Fleet can contain other Fleets Fleets can be later reorganized and moved around for organizational purposes.
I have several roles with permissions in the system that pertain to these entities:
The authorization logic allows for a User in the system to be granted access to either a Fleet or a Car with one or more roles.
Here are some scenarios to help explain:
User Jim access to Fleet #5 with the role of Driver, he is allowed to drive any Car under fleet #2. The resulting permissions allow him to drive cars #4, 5, 6Car #1 as a Mechanic, the resulting permissions allow her to fix only car #1.Owner and Mechanic, she is allowed to add and remove cars to fleets #2, 4, 5 AND she is allowed to fix cars #1, 2, 3, 4, 5, 6.Owner AND to Fleet #6 as a Driver, the resulting permissions allow him to add and remove cars to all fleets AND drive cars #7, 8. He cannot drive any other car other than #7 and 8.What is a good approach to this entity-level authorization?
If it matters, we're using .NET 4.5.1 with EF6 Code First, built on top of ASP.net Boilerplate.
611
Hierarchical Role-Based Access Control utilizes the use of a hierarchy within the basic role structure. This hierarchy defines the relationships between roles. Users with senior roles acquire permissions of all junior roles, which are assigned to their subordinates.
Role-Based Access Control or RBAC is part of Snowflake's Access Control Framework which allows privileges to be granted by Object Owners to Roles, and Roles, in turn, can be associated with Users to restrict/allow actions to be performed on objects.
The fine-grained authorization you want to implement reminds me of Access Control Objects (ACOs - Something that is wanted) and Access Request Objects (AROs - Something that wants something) in CakePHP's Access Control List (ACL) description with some variations:
Here it is in a nutshell:
You have ACOs (Fleets and Cars) that will be requested by AROs (Owner, Manager, Driver, Mechanic). If you want to know if a requester has access to an object, you find the path to that object (Can John access "Car #3"?: find "Car #3"'s path from root: Fleet #1 > Fleet #2 > Car #3), then assign the default permission "Deny" to each node but switch it to "Allow" if that node is in the requester's allowed node list. If the last node ends up with "Allow" then, well... allow, else deny.
Understanding the logic first is key. Implementation in any language comes second.
I hope it points you in the right direction.
Cheers,
169
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
