Amplify authorization rule based on attribute value - authorization

I have a user, community and post type where a community can have multiple users and posts. The posts has an attribute called "visibility", if the visibility value is "private" only the users of that community can see the posts. If the visibility is "public" every user can see the post. Is possible to accomplish this using amplify and cognito? How?

Cognito has groups. You can create groups and add users into these groups. When your user authenticates they get a token, and the claims on that token can be used to confirm which groups they belong to.
Cognito Groups are really useful for controlling access to things like admin apis with an 'admin' group. However, if you're creating lots of groups of adding users in and out regularly, I would recommend implementing an application level feature (i.e. manage this in your database).
Cognito isn't as scalable as your application persistence is likely to be. It can be a bit slow and it doesn't come with nice features for managing your groups.
So yes, its possible to manage in Cognito, but I would recommend doing it with a database of some sort.

Related

Authorisation design using policies/permission using keycloak or in general

I'm quite new to the entire auth design and am still trying to understand how to use keycloak for authentication and authorisation.
Currently from what I understand in order to have authorisation enabled for a client you will need to have it in confidential.
After which I am kind of stuck in terms of how to set which policy for which permission.
I have a few types resources but currently placing them all under a single client for simplicity sake.
For my use case I have a workspace for users. So each workspace can have multiple users with different roles of owner,editor,viewer. And within the workspace there are artifacts. So it is some what like designing an authorisation for Google drive.
Would like some advice on how best to design it.
One way I have thought of is using groups and each workspace is a group. Using it to assign users to each group as a way to use the group policy for permission.
The other is really by creating multiple policy and permission for each artifact/resource and adding user to each policy for each workspace.
Would like any advice on authorisation design or even where to begin reading.
After some research I have come to these conclusion.
Yes these can be done by keycloak though most likely shouldn't be done in keycloak itself for its design.
Keycloak itself will most likely be more suitable in terms of authenticating/authorising on services or infra level. So this use case of having user be able to access workspaces or artifacts will be better done in application level having a separated service to handle the permission itself.
That being said if it really needs to be done in keycloak the design that I thought of that is not so scalable is as follow.
Create a policy/user and each workspace/artifact as a single resource. Depending on how many types of access/fine grain control is needed for each type of resource create the scope for each (e.g workspace:view, workspace:edit...). Then create a permission for each resource&scope. This allows fine grain access of basically assigning user to permission of each resource through the user policy.
But of course this design has its flaws of the need of too many policies, permissions and resources so it is better to have keycloak just handle the authentication part and authorisation is just giving users the role to be able to access a service and through the service check if the user is authorised for a certain action.

Resource based authorization with Azure AD?

Here is the scenario, I have a service containing many records. My service also has many users, each with the ability to create, read, update and delete records. The ability to perform these operations on each record must be controlled at the record level.
For example, user A can only read and update record 1 but user B can read, update and delete records 1, 2 and 3 and user C can perform all operations on all records.
How if at all, can this be done using Azure AD?
Obviously, using application roles is not sufficient because that gives the user uniform access rights to all records.
The tenant is also not useful because its the same for all users (in this example).
I definitely do not want to define access rights for every record individually, I would like to do something like assigning roles to a user group and then somehow assign records to the group.
Is there a standard way to deal with this type of resource based authorization?
As you correctly mention, role based access or authorization is very generic and using that, a user with specific role gets access (or gets denied access) to all resources. (If your sceanrio permits, you could make it a little better by dividing your resources into a few types and give access for 1 or more types of resources to 1 or more roles).
When trying to control access for each record individually, you will need to implement custom logic for resource based authorization. Typically applications utilize a mix of role-based and resource-based authorization driven by their requirements.
In the end it will boil down to a mapping that you need to maintain between 3 things
Resource (or a collection of resources)
Azure AD object (like role, group, individual user that is being given permission)
Permission that you're giving (understood and enforced by your application e.g. Blogs.Create permission for a Blogs application)
Relevant Documentation available on Microsoft Docs
Role-based and resource-based authorization
This documentation talks about similar concepts and shows a good example which makes use of both role based and resource based. CRUD operations on resources based on roles and then special privileges on specific resource for the owner of that resource (i.e. resource based)
Code Samples
Multi-tenant Survey Application Code
Code base for the documentation link above
Authorization in a web app using Azure AD groups & group claims
This one provides a sample task tracker application where users can share tasks with other users or Azure AD groups. Again you will see a mapping between resources (i.e. tasks in this case) and Azure AD objects (i.e. Users or Groups) is being maintained in sample database.
Assigning Application Roles for groups
Since you mentioned this as part of your question, just letting you know that this is possible from Azure Portal but only if you have Azure AD Premium license (I'm not sure which specific ones support it, but search on Group based assignments feature and you'll find it.)

Cognito for identity and authentication only for a multi-tenant SaaS

We run a multi-tenant SaaS app, where orgs have users, and orgs are separated from each other.
This question follows this thread, which I have digested:
https://forums.aws.amazon.com/thread.jspa?messageID=819858
We have this scenario, similar to the thread above:
unlimited organizations
unlimited users per organization
unlimited "guests" as outside collaborators
users within one organization cannot access anything in any other organization
What is the solution to do this for unlimited organizations and unlimited users within each organization, given the limits published in the thread above?
We only want to use Cognito to handle signup and signin for our SaaS. We don't wish to use API Gateway, since we already use ALB behind our API instances.
Our problem is therefore identity and authentication, not authorization (e.g. permissions, roles, etc).
The reason for the unlimited guests requirement is because we are an app that enables a user to collaborate with others outside their company - see https://tallyfy.com for context.
I'm confused about the best way to architect user pools, groups and/or just use attributes for this purpose. Help is appreciated.
Example solution - a single user pool with potentially millions of users, where a custom attribute of a user is "organization_id". Further, another custom attribute defines their user type within two types - regular or guest. Is this the ideal/workable solution?

How limit user's access to a certain resource?

Suppose that I have a web application. Consider it like a Black-Box for now. I want to use a backend system to limit what a user can view/do on the app.
i.e. Sample users can only do three functions, Premium users can do 10 functions and see more pictures.
What is the best way to do it?
I'm trying to using WSO2 Identity Server, but it doesn't offer this functionality. So I've thought that maybe I can integrate it with the WSO2 API Manager and make an API that limits users' access to a certain resource. But really I cannot find if it's possible do it. Anyone know it?
Please refer to : https://docs.wso2.com/display/IS530/Access+Control+Concepts
1) WSO2IS can act as a coarse grained access manager. Your application will act as a fine grained access mnager.
It means that roles can be defined in WSO2IS, managed and assigned to user. From there Roles assigned to one user can be provided as clains with the identity token generated by WSO2IS and sent to the application.
The application, on the other side, will manage roles to permissions links.
Access control is then done at each request by the application, based on the roles presented in the Identity Token by the user and the Permissions grid based on roles in the application.
2) The access control at the application is a business logic you must implement (or at least configure if it a COTS). It is possible to outsource this logic to WSO2IS as policies on attribute (with Workflows).
Please look at : https://docs.wso2.com/display/IS530/XACML+Architecture
Jeff

Are there better user User management applications for Cognito User Pools?

We are using Cognito for managing the users for our saas-application (www.contempus.be) , and are very happy with the functionality it offers.
However, there are a few aspects that we think could be better, and we're wondering if there are any tools out there that can be used to easily manage users.
Do any third party tools exist to manage Cognito User Pools?
A few features we think would be useful :
Assign groups when creating users.
Set Custom attributes when creating users.
Search users by custom attributes
Are other people also interested in these features?
Thank You,
Dries