How to resolve Zend_Acl permission conflict for user with multiple roles?
https://stackoverflow.com/questions/9305450
-
30-04-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm trying to create an RBAC with Zend_Acl. The question I have is that I want users to be able to have multiple roles, but I'm not sure how to solve permission conflicts between the various roles? In cases where there is a both an allow and deny, should the allow always override the deny? As always, thanks a lot for taking out the time to check out my question. Cheers!
Solution
Think of it like your home.
- deny | person
- deny | anyone from Russia
- allow | family member
- allow | friend
Let's say you have bad feeling about Russians. Would you think, that you should deny your good friend access to your home just because he is a Russian? No. He has proven some quality that granted him the "friend" status. The allow should override the deny IMO.
No offense to the Russians :P
OTHER TIPS
you should add role priority to your implementation. If exact resource/privilege pair exists in several roles you will take one on them with highest priority. If none of the roles have exact match - take whatever higher priority role will return.
Another approach is to define user role, like user123
$acl->addRole('user123', array('admin', 'banned'));
I don't know behavior of role with multiple parent roles, so check it out for yourself
Security Best practices indicate when there is a conflict issue a denial.
That being said, from practical experience I build security in the following manner (when it comes to RBAC):
Each user has a set of rights; user rights superseded group rights Each user can have one or more group rights Each group has a priority level of application; typically admin is applied where the last applied right I very rarely apply multiple groups to multiple people; and most people that have rights to apply rights can not do this except for the primary admin (instead I make a new group). I use Negative (groups with Deny rights) VERY sparingly. Upon applying group rights to a person I have the system check for conflicts and notify the person applying it. In addition to the standard RBAC roles I also have a flag grant view others, grant edit others, etc.
In addition use many other mechanisms, such as a sha256 session token, use database tables to temporary check for idle sessions + replay attacks, require the person's ip address stays constant, etc.
Both variants are fine, the question is what you prefer more? Having "deny" priority higher over "allow" would result in system where single "deny" permission would take the rights away, does not matter what others say or vice versa - having "allow" as higher priority would result that single "allow" would grant permission despite many "denys". So questions is - how strict your system should be?
