Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Scope/Role/Group Based Access Control

I am using Azure Active Directory and am trying to understand the three types of access control described here. What are the advantages and disadvantages of each approach and when would you use them:

  • Scope based access control using oauth2Permissions section of my manifest where I can add read and write permissions like so:

    {
      "adminConsentDescription": "Allow the application read access to MyApi on behalf of the signed-in user.",
      "adminConsentDisplayName": "Read access to MyApi",
      "id": "56d944c0-f3aa-4f80-9472-9c1414383abf",
      "isEnabled": true,
      "type": "User",
      "userConsentDescription": "Allow the application read access to MyApi on your behalf.",
      "userConsentDisplayName": "Read access to MyApi",
      "value": "read_my_api"
    },
    {
      "adminConsentDescription": "Allow the application write access to MyApi on behalf of the signed-in user.",
      "adminConsentDisplayName": "Write access to MyApi",
      "id": "6d66a2bd-c8c7-4ee0-aef4-9424b51b4967",
      "isEnabled": true,
      "type": "User",
      "userConsentDescription": "Allow the application write access to MyApi on your behalf.",
      "userConsentDisplayName": "Write access to MyApi",
      "value": "write_my_api"
    }
    
  • Role Based Access Control (RBAC) - Using appRoles section of my manifest.

  • Group based access control using the groupMembershipClaims section of my manifest.
like image 996
Muhammad Rehan Saeed Avatar asked Dec 22 '15 12:12

Muhammad Rehan Saeed


People also ask

Which roles are available with role-based access control?

An organization assigns a role-based access control role to every employee; the role determines which permissions the system grants to the user. For example, you can designate whether a user is an administrator, a specialist, or an end-user, and limit access to specific resources or tasks.

What are two types of role-based access control lists?

Technical – assigned to users that perform technical tasks. Administrative – access for users that perform administrative tasks.

Which of the following scope in role-based access will give you wide access?

The most common scope is organization-wide (org-wide) scope. A custom role can be assigned at org-wide scope, meaning the role member has the role permissions over all resources in the organization.

What is the purpose of role-based access control?

Role-based access control (RBAC) is a method of restricting network access based on the roles of individual users within an enterprise. RBAC ensures employees access only information they need to do their jobs and prevents them from accessing information that doesn't pertain to them.


1 Answers

I think the most significant difference between scopes and roles/groups is who determines what the client is allowed to do.

  • Resource scopes are granted by the resource owner (the user) to an application through the consent screen. For example, the client application can post to my timeline or see my friends list.
  • User roles and groups are assigned by an administrator of the Azure AD directory. For example, the user can submit expense reports or the user can approve expense reports.

Scopes are typically used when an external application wants to gain access to the user's data via an exposed API. They determine what the client application can do.

Role- or group based access is typically used within an application to determine what a user can do.

like image 52
MvdD Avatar answered Sep 28 '22 17:09

MvdD