In addition to creating RbAC file, what is the other advantages of Yii Rights module? What the Yii rights module does that Yii RbAC doesn't support?
Allows to manage access in backend: create roles on the fly and attache it to user.
Role access has weak binding with code because is based on module-controller-action-oriented permissions that you can give to user. That all can be managed with backend interface on the fly.
Has task (not role) oriented access - when you can create custom task (text editing for example) and base your logic on permissions to tasks instead of roles
You can find answers to all of those questions here: http://www.yiiframework.com/extension/rights/
Basically, everything you can do with Rights, you can do with RbAC, but Rights makes it all easier to manage.
Related
We are currently building a webapp, which has several user roles. Each user has one or more roles assigned, which grants them permission to interact with specific parts (REST resources) of the webapp. For example, a user with role admin is allowed to perform a create action on the resource user.
We have implemented this access control using RBAC with Casbin. This has suited our access control needs until now. We have arrived at the point where we have to implement some kind of mechanism, which enables users of our webapp to grant access to other users for specific data objects (for example their address). In some cases these other users also need to be able to mutate this data.
I have a feeling RBAC is not meant for this level of fine-grained access control. Therefore I am looking for best practices/alternative access control models which are suited for this use case.
I read about ABAC in this answer, but still have the following 2 questions:
Is ABAC still a recommended model, or are there other models I should know about?
If I end up using ABAC, what is the best way to combine this with RBAC?
I much appreciate any responses.
I'm Casbin author. Recently, Casbin adds support for scaling ABAC rules: https://casbin.org/docs/en/abac#scaling-the-model-for-complex-and-large-number-of-abac-rules. Now you can write very powerful ABAC rules within Casbin. You can also mix RBAC and ABAC together inside Casbin.
i am a newbie in the Symfony framework and I have to create a web application. The problem I have is the autorization of defined actions in the code.
I load my users out of a database with some roles (many-to-many). In the security.yml I work with ACLs for the different routes. But now my teacher told me, that I should implement specific rights to roles. That means, that I have some roles with rights (many-to-many), so I can create new roles with simply adding the some rights.
An example might be "editing users" in the database. So I can specify granually the rights "editing", "persisting" and so on.
How can I implement this in my Controllers/Twig-Templates? In Twig I work with the isGranted()-function, there I can only check roles?
Thanks for your help :-)
I'm working on a project where I've multiple ressources and multiple users, what I need to do is to associate different access rignts to every user depending on the ressource he wants to access to
The problem is that a simple LDAP server can't implement this kind of situation,
An idea is to use multiple LDAP servers, one for each ressource, then how could I manage them all?
Or is there another authentication process I can use in this case?
Spring Security has a special ACL module to handle such situations. The basic idea is that each domain object / ressource may have separate access control list. You need to fill this list with appropriate permissions and add corresponding checks in your code. You can have parent -> child relations between the objects to reduce number of permissions. Check it out.
If you have logic behind the access to the resources, you may want to use a rules authorization language such as XACML.
If the assignment of resources to users is arbitrary then the use of ACLs with Spring Security's ACL module is good enough.
The problem is that a simple LDAP server can't implement this kind of situation
Mine does. You use LDAP to define the roles associated with each user, then you use web.xml to associate the resources with the roles that are required to access them, then you configure/write your login module such that it looks up the roles of each user when you login. Container-managed security can do all that.
How do I configure a Shiro to use Active Directory Authentication, but in addition I want to map the usernames to custom roles. I can't seem to find any information on this. Can anyone give me any pointers?
To do Active Directory Authentication use the JndiLdapRealm
For the authorization override the method queryForAuthorizationInfo
Be aware that you probably get group from your AD so you have to provide your own mapping (group to role).
About this shiro reference manual say :
A RolePermissionResolver can be used by a Realm internally when needing to translate a role name into a concrete set of Permission instances.
This is a particularly useful feature for supporting legacy or inflexible data sources that may have no notion of permissions.
For example, many LDAP directories store role names (or group names) but do not support association of role names to concrete permissions because they have no 'permission' concept. A Shiro-based application can use the role names stored in LDAP, but implement a RolePermissionResolver to convert the LDAP name into a set of explicit permissions to perform preferred explicit access control. The permission associations would be stored in
another data store, probably a local database.
Hope this will help
I'm working on doing the same thing, but I'm pretty sure you have to write a custom AuthenticationStrategy. I wanted to authenticate against AD but use the INI to define roles, but I could not get it to behave properly enough to not accept authentication against either (even utilizing FirstSuccessfulStrategy). I didn't get to look into it too much, so maybe one of the Shiro guys who floats around can correct this, but i hit these issues today.
I am interested if anyone has experience using DotNetNuke authorization in CSLA.
I would like to be able to use my DotNetNuke roles to be able to assign permissions to my CSLA objects and properties. If I just reference the DNN assemblies won't that create an unwanted dependency in my CSLA business objects?
Would it be easier to build CSLA objects that query the DNN database directly to get role membership?
Thanks...
You definately do not want to create that dependency with your DNN assembly. Your second suggestion is the way to go.
CSLA uses standard IPrincipal/IIdentity authentication. You can create an object that inherits from the CSLA.Security.BusinessPrincipalBase which uses a CSLA object (e.g. User) that grabs their roles from the DNN database directly. Once you have that authentication integrated, you can place your roles inside your business objects by overriding the AddAuthorizationRules method.