Question

For web applications with highly complex access control rules, do you always use an ACL?

When determining my users' privileges I have a multitude of considerations, including:

  • Are they logged in?
  • Are they an Admin, or a Normal User?
  • Are they browsing a node in a graph?
  • What type of node are they browsing?
  • What is their relationship to the node (i.e. paths to the node)?
  • What is the user's default setting?
  • What is the node's default settings?
  • What are the settings of the graph edges that connect the user to the node?
  • etc

Developing an ACL was proving to be difficult. After a while I resorted to doing "if/then" checks on basic attributes at the top of every action, e.g. if(isAdmin) {...}

This seems to be working OK and I'm wondering whether I should leave it in place as a permanent solution. Thus the question: does there come a point where the complexity of access control outgrows an ACL? Or is it simply that I need to try a bit harder?

Was it helpful?

Solution

When your access control model becomes too complex because access is no longer only based on the identity of the user, you want to move to another access control model.

You could use role-based access control (RBAC) where permissions are grouped into roles and roles are assigned to users. Active Directory and other LDAP products let you do role-based access control.

But if you want to implement more than just roles and in particular you want to take into account relationships, graphs, and graph edges, you want to use attribute-based access control (ABAC). In attribute-based access control, you can implement authorization logic that takes into account user attributes (their role, department, location, age, citizenship...) as well as resource attributes (the node's location within a graph, the edge...) as well as the relationship between the node and the user.

I uploaded a video on ABAC: www.youtube.com/watch?v=xUEbBKnxWSo CERIAS also have some great ones: www.youtube.com/watch?v=3ZCoupGHmwo

The main standard that implements ABAC today is XACML, the eXtensible Access Control Markup Language. I would look into XACML (disclaimer - I work for Axiomatics, a XACML vendor).

There are vendor and open source XACML implementations you can check out.

With XACML, instead of having a bunch of if(isAdmin) and if(validCitizen) statements, you end up having a single if (isAuthorized()) statement. The actual authorization logic is centralized inside a policy expressed in XACML. This is also known as externalized authorization.

OTHER TIPS

The acronym ACL stands for Access Control List. So per definition - as soon as you control what users get access to based on which user they are or which group they belong to, you have an ACL.

So the short answer to the first question is, yes you always use an ACL.

As for the other questions, I would say yes on both of them

An ACL can become more complex than the application it's controlling should require - if you for example want too fine a control over what users can do. So if you think it is getting to complicated - see if you can't "dumb it down" a bit, by grouping some ACOs together or even removing them (and allowing all users access to them).

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top