Implementing Access Control in a system

StackOverflow https://stackoverflow.com/questions/17347996

  •  01-06-2022
  •  | 
  •  

Domanda

I came across many different models for the Access Control in a system. When implementing an Access Control model in any system, we usually hard code the rules/rights in the database(considering an RDBMS) by creating separate tables for the Access Control. Also, these rules/rights can be stored in an XML database. I would like to know what is the difference between storing the rules on RDBMS and on an XML database? Also, when should we use XACML for implementing an Access Control model in a system? I mean, how one can decide whether one should hardcode the rules/rights in the database or one should use XACML policy language?

Thanks.

È stato utile?

Soluzione

Disclaimer: I work for Axiomatics, a vendor implementation of XACML

Storing authorization logic if you go your own way could be done either in the RDBMS or in an XML database. It doesn't matter. I doubt that XML brings you any added capabilities.

Now, if you want an authorization system that can cater for RDBMS systems and other types of applications too (CRM, .NET, Java...) then you want to use a solution that is agnostic of the type of application it protects. That's the goal of XACML, the eXtensible Access Control Markup Language.

XACML provides attribute-based, policy-based access control (ABAC and PBAC). This gives you the ability to write extremely expressive authorization policies and managed them centrally in a single repository. A central authorization engine (called Policy Decision Point or PDP) will then serve decisions to your different applications.

As Bell points out, the minimum set of attributes you will need is typically attributes about the user (Subject), the resource, and the action. XACML also lets you add environment attributes. This means you can write the following type of policy:

Doctors can view the medical records of patients they are assigned to.

  • Doctors describes the user / subject
  • view describes the action
  • medical records describes the targeted resource
  • of patients describes the targeted resource too. It's metadata about the resource
  • they are assigned to is an interesting case. It's an attribute that defines the relationship between the doctor and the patient. In ABAC, this gets implemented as doctor.id==patient.assignedDoctorId. This is one of the key benefits of using XACML.

Benefits of XACML include: - the ability to externalize the authorization logic as mentioned by Bell - the ability to update authorization logic without going through a development/deployment lifecycle - the ability to have fine-grained authorization implemented the same way for many different applications - the ability to have visibility and audits on the authorization logic

HTH

Altri suggerimenti

The two are not mutually exclusive.

An XACML policy describes how to translate a set of attributes about an attempted action into a permitted/denied decision. At minimum the attributes would be who the user is (Subject), what they are trying to do (Action) and what they are trying to do it to (Object). Information such as time, the source of the request and many others can be added.

The attributes of the user and the object will still have to be stored in the database. If you are grouping users or objects to simplify administration or to simplify defining access control rules then you're going to have to manage all of that in the database to. All that data will then need to be passed to the XACML Policy Decision Point to return the permit/deny decision.

The advantage of using XACML to define these rules, rather than writing your own decision logic for the rules defined in the database, is that the assessment of the rules can be handed off to an external application. Using a mature, tested XACML implementation (there are open source options) will avoid you making any mistakes in building the checks into your own code.

Hardcoding the policies in your code is a very bad practice I think. In that case you mix the business logic of your resources and the permission check of the access control system. XACML is a big step in the right direction because you can create a fully automatic access control system if you store your rules in a separated place (not hardcoded in the business logic).

Btw you can store that rules in the database too. For example (fictive programming language):

hardcoded RBAC:

@xml

    role 1 editor

@/articles

ArticleController
    @GET /
    readAll () {
        if (session.notLoggedIn())
            throw 403;
        if (session.hasRole("editor"))
            return articleModel.readAll();
        else
            return articleModel.readAllByUserId(session.getUserId());
    }

not hardcoded ABAC:

@db

    role 1 editor
        policy 1 read every article
            constraints
                endpoint GET /articles
            permissions
                resource
                projections full, owner

    role 2 regular user
        policy 2 read own articles
            constraints
                endpoint GET /articles
                logged in
            permissions
                resource
                projections owner


@/articles

ArticleController
    @GET /
    readAll () {
        if (session.hasProjection(full))
            return articleModel.readAll();
        else if (session.hasProjection(owner))
            return articleModel.readAllByUserId(session.getUserId());
    }

As you see the non hardcoded code is much more clear than the hardcoded because of the code separation.

The XACML is a standard (which knows 10 times more than the example above) so you don't have to learn a new access control system by every project, and you don't have to implement XACML in every language, because others have already done it if you are lucky...

Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a StackOverflow
scroll top