I work for an organization that hosts applications used by many other organizations that reside in a hierarchy (I work in the education field).
This article detailing what they call "ROBAC" identifies and proposes a new model for access control that we'd like to try and implement. Does anyone have experience with implementing IdentityServer by Thinktecture or any other .NET/Katana based technology?
Is it possible to use OAUTH2/OpenId to implement a ROBAC/OrBac model? If so, is there any documentation available out there on how to do so?
What you need is ABAC, attribute-based access control and possibly XACML, the extensible access control markup language which implements ABAC.
ABAC is generic enough to implement RBAC, ROBAC, and generally *-bac. In ABAC you get to define the attributes you need. Those attributes can be about:
the user e.g. role, department, age, clearance...
the object (resource) they're trying to access e.g document, classification, owner, author, status...
the action they want to do on that object e.g. view, delete, approve...
the context e.g. time of day.
You then combine these attributes into policies e.g.
A user with the role publisher can do the action publish on a document if the document status is draft and if the user's department is equal to the document's department
There are a lot of resources on ABAC/XACML. Check out:
the NIST project page on ABAC
the OASIS XACML standard page
the Axiomatics Policy Server Express Edition - a lightweight implementation of ABAC.
Related
We are currently building a webapp, which has several user roles. Each user has one or more roles assigned, which grants them permission to interact with specific parts (REST resources) of the webapp. For example, a user with role admin is allowed to perform a create action on the resource user.
We have implemented this access control using RBAC with Casbin. This has suited our access control needs until now. We have arrived at the point where we have to implement some kind of mechanism, which enables users of our webapp to grant access to other users for specific data objects (for example their address). In some cases these other users also need to be able to mutate this data.
I have a feeling RBAC is not meant for this level of fine-grained access control. Therefore I am looking for best practices/alternative access control models which are suited for this use case.
I read about ABAC in this answer, but still have the following 2 questions:
Is ABAC still a recommended model, or are there other models I should know about?
If I end up using ABAC, what is the best way to combine this with RBAC?
I much appreciate any responses.
I'm Casbin author. Recently, Casbin adds support for scaling ABAC rules: https://casbin.org/docs/en/abac#scaling-the-model-for-complex-and-large-number-of-abac-rules. Now you can write very powerful ABAC rules within Casbin. You can also mix RBAC and ABAC together inside Casbin.
Say I copycat Unix file system security groups in my DB: entities can be seen as files and visibility to those entities depend on which group a user belong to. Groups may contain users and other groups. Circular group membership is forbidden.
How to implement that in SQL?
You do not need to design any data model, just use existing patterns.
Unix Security has complete security model.
It has :
Subjects (Users, Groups, Processes make accesses)
Objects (Files, Directories, Services)
Operations (Read, Write, Execute)
In Data Modeling world, we have some patterns to manage this type of permissions (Access Control Models).
Context-based access control (CBAC)
Data-centric security
Discretionary access control (DAC)
Graph-based access control (GBAC)
Lattice-based access control (LBAC)
Mandatory access control (MAC)
Organisation-based access control (OrBAC)
Role-based access control (RBAC)
Rule-set-based access control (RSBAC)
Attribute-based-access-control (ABAC)
https://en.wikipedia.org/wiki/Attribute-based_access_control
I offer ABAC: Attribute Based Access Control. Because of
1- ABAC is so complete and can answer all your requirements.
2- Unix Security has equivalence elements to ABAC.
ABAC basic elemets are:
Subject: who is demanding access to an information asset
Action : that the Subject (User) wants to perform
Resource : identifying the information asset or object impacted by the action
google and find more details.
https://www.axiomatics.com/attribute-based-access-control/
I have a very complex requirements to implement the roles and permissions in my asp.net mvc 4 application. I know about ASP.NET Identity authentication but that does not fit into my requirements.
I have 15-20 controllers in my applications which have their respective views, some of views have partial views which are being handled in Jquery code and loaded from there.
Now I have below requirements:
1)Some of controller are accessible to a perticular role(s) only.
1) Some of views in a controller are accessible to a perticular role(s) only.
2) In a view for a Grids only some of columns and actions like Edit/Create/Delete are accessible to a perticular role(s) only.
I am thinking to implement checks on controller , actions and views on the basis of role but that can lead into a problem when I have multiple roles and custom roles in future. What can be best way to implement this kind of solutions. Any suggestions will be appreciated.
Every time you have "complex" authorization requirements, it's a pretty good indication that "identity-centric" access control is not enough. What's identity-centric? Authorization that relies on user metrics (identity, role, group) only.
Also, in your question, you list the fact that you do not know what the future holds. You do not know what other custom roles you need to implement.
All this means you need to extend your existing RBAC implementation with attribute-based access control (abac). ABAC gives you 3 interesting elements which you do not have in RBAC:
A policy language. You can express complex authorization challenges using this policy language (either of xacml or alfa). In particular you can express things like Permit if user department==record department.
An architecture: the architecture identifies key components with specific responsibilities. For instance, you have a Policy Decision Point (PDP) which produces authorization decisions. You have a Policy Enforcement Point (PEP) which is the piece that sits in front of or inside your application. The PEP protects the application.
a Request / Response scheme between the PEP and the PDP. The standard format is a Yes/No question as shown in the diagram below. JSON can be used to encode the requests.
From your point of view, you have two options. Either:
Implement claims-based authorization. This is available OOTB in .NET
Bring in XACML. I'm not sure .NET has any native libraries but there are SDKs out there.
Every user has one or more roles, every role has one or more permissions. So far I can gather all permissions that are associated to a user via the roles.
The Problem
Some permissions have some constraints. For example:
A user can edit all posts that belong to his site, but no other posts.
Therefore the permission "edit post" should have this constraint.
Regarding the model: If the Constraints are related to the permission, I can't resolve which constraints are active for the particular user.
The user model can have an attribute like "site", but not all users, that belong to one site should have the constraint mentioned above. Some of them should be able to edit all posts.
Question
What is the best way to determine which constraint is active for a particular user. Do I have to split this into seperate permissions and integrate the constraints into the permission model or is there a better solution? I stumbled upon attribute based access control but I am not sure if I should switch to a completely different appoach
Any help is appreciated :)
I replied the following to a previous similar question
You want to use a solution that is agnostic of the type of application it protects. That's the goal of XACML, the eXtensible Access Control Markup Language.
XACML provides attribute-based, policy-based access control (ABAC and PBAC). This gives you the ability to write extremely expressive authorization policies and managed them centrally in a single repository. A central authorization engine (called Policy Decision Point or PDP) will then serve decisions to your different applications.
The minimum set of attributes you will need is typically attributes about the user (Subject), the resource, and the action. XACML also lets you add environment attributes. This means you can write the following type of policy:
Doctors can view the medical records of patients they are assigned to.
Doctors describes the user / subject
view describes the action
medical records describes the targeted resource
of patients describes the targeted resource too. It's metadata about the resource
they are assigned to is an interesting case. It's an attribute that defines the relationship between the doctor and the patient. In ABAC, this gets implemented as doctor.id==patient.assignedDoctorId. This is one of the key benefits of using XACML.
Benefits of XACML include:
- the ability to externalize the authorization logic as mentioned by Bell
- the ability to update authorization logic without going through a development/deployment lifecycle
- the ability to have fine-grained authorization implemented the same way for many different applications
- the ability to have visibility and audits on the authorization logic
HTH
I am learning Apache Shiro, and I found this article:
The New RBAC: Resource-Based Access Control
And the author said:
.......you could assign behaviors (permissions) directly to a Role if you
want. In this sense, you would still have a Role-Based Access Control
security policy - it is just you would have an explicit RBAC policy
instead of the traditional implicit strategy.
But that begs the question - why stop at roles? You can assign
behaviors directly to users, or to groups, or to anything else your
security policy might allow.
It seems that the author prefer to store the relationship of User and Permission directly instead of through a Role.
Though it seems this is simple and straightforward, I have some questions:
Are there any essential differences between two of them?
The Database schema.
In a Role Based Access Control, normally we use three tables to describe the relationship:
user
role
user_role
No if I use the Resource Based Access Control, what is the normal practice for building the tables?
This is the first time I hear of resource-based access control.
I would be extremely careful in going down this path. In the world of authorization there are essentially 2 standards:
Role-based access control (RBAC) as standardized by NIST and implemented in thousands of apps and frameworks with support from the main vendors (CA, Oracle, IBM...)
Attribute-based access control (ABAC) as being standardized by NIST (also here) and equally well implemented by vendors such as IBM, Oracle, and Axiomatics which is where I work.
Resource-based access control seems to be a model invented by Stormpath and supported by them only. It may be good but it will only work with their environment.
Role-based and Attribute-based access control are well accepted paradigms supported by NIST and other standardization bodies such as OASIS (where SAML and XACML were defined 10 years ago and are still supported today).
The question to you is: why is role-based access control not enough for you? Do you have a role explosion issue? Is it not expressive enough? Do you need to implement relationships between users, resources, and context?
ABAC and XACML can let you do that. I posted a simple video a while back on YouTube that deals with attribute-based access control. Have a look.
The bottom line is that RBAC and ABAC are standards that work across multiple applications and layers. Resource-based access control is specific to Apache Shiro only.