I'm about to develop a management web app with Laravel.
I need that my users have different roles with different permission.
In details: some users can add customers, some users can write pieces of a paper related to the customer, some other users can just read that paper and some other users can read just some pieces of that paper.
So I decided to use an RBAC approach in order to gain a certain flexibility.
I'll use this DB schema (just an example schema, but represent the needings of my application):
dbexample
My answer is: since there is a direct relationship between users and paper, customer, attachs etc., how are RBAC rules expressed? I have to check user's permission in frontend when he request an operation or a resource? Or there are ways to express this rules even at backend level? Maybe using some GRANT options?
Hope sby can help.
Thank you!
I would recommend using one of the RBAC packages already available to you, there are a few out there but a couple noteworthy mentions include:
Spatie Permissions
Laratrust
You define roles such as User and Customer, permissions such as can-write-paper, can-read-paper and assign them to either roles or individual users depending on your use case.
Related
we have a common APIM setup where developer publishes and subscribes products. Can we restrict certain developers to only publish APIs under specific product. We don't want a developer tampering with the product published by another developer. I found a document where we can restrict the visibility from a subscribers perspective link to doc
Can a similar access control can be done for a publishers?
Look into ARM custom roles: https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles You should be able to create RBAC rules for your developers scoping access only to a certain products, since API membership in product is controlled by /products/{pid}/apis/{aid}
There is a concept called "groups" provided by azure, which will help us to group users and give privileges based on the roles(RBAC). Groups are further divided into two types
1.Default
2.Custom
A specific group of users can be given permissions edit to a specific product and only read some other product.
For Further reference follow the link: https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-create-groups
I have to provide some functionality that will let me create users with a custom set of permissions by assigning them some combination of existing roles for couchbase.
For example I want to have role X that will be equal to those couchbase roles: query_select, fts_searcher and data_monitoring.
The problem is that I couldn't find way to conclude which roles will be inherited. This is only shown with browser API when you choose Admin or Cluster Admin role, but there are more of those cases.
When I'm creating those roles in Python SDK or using couchbase-cli there is like 0 verification on that, so then even Admin role does not exclude the ones it inherit (see u01).
There is some info in documentation that helps me deal with that but it doesn't cover all of it.
RBAC for Administrators and
RBAC for Applications
Is there any faster way than testing it out manually?
Any help would be greatly appreciated!
I'm working on a SaaS product and trying to figure out the best way to design the database for my scenario, which I think is pretty standard.
I should not that I don't have an experience designing such a database.
I tired researched online, but there isn't really any info I could find about implementation. There are quite a few comparing the different multi-tenant architectures.
For the multi-tenant approach, I decided go with a single database - seemed to be the most fitting.
Here's the basic list of what should be supported:
Multiple clients, all separated, no sharing of data between them.
Each client has it's own user base (staff/employees).
The client's staff members have different access levels to the system (exposure to different areas, ability to perform certain actions)
Each client have it's own customers.
I can wrap my head around the basic concept of having the tenant_id on any table belongs to that tenant. I guess my issue is more with how to combine it with different access levels per client's staff member.
How would you go about it?
Any reference some implementation of such a DB?
Thanks
Update
After #dmfy answer, I gave it some thought and came up with this solution:
account
-id
-name
user
-id
-account_id
-username
-password
role
-id
-account_id
-name
user_role
-user_id
-role_id
access
-id
-role_id
-name
role_access
-role_id
-access_id
session
-account_id
-user_id
-token
I'll explain-
The role table is essentially a "group" of users associated with a list of permissions/access levels.
The access table represents a single permission. An area of the platform, an action that can (or cannot) be performed.
A row in the session table is created after a successful login. Each time there's a call to the server, if the user has been verified against the token, I will lookup the roles for that user (using the session.user_id on the user_roles and collect it's access list using role.id on role_access.role_id).
Once I have the access list I can check against the request and see if the user is permitted to perform the action.
Notes
role can be customized for each tenant/account (e.g one can have "Management" and "Employees" and another can have "Management", "Support", and "Sales" ), hence the association with account.
access on the other hand, is platform-wide. The platform have the same set of areas and actions across all tenants. So there is not need to associate it with a specific account.
An improvement to the access lookup could be to store the access list on the session on login, to eliminate the double join (get all the user's roles, get all the roles' access lists).
Questions
Firstly, what is your overall opinion on the design. Do you see any flaws?
Is saving the account_id on the session really needed/a good idea?
Is having the server check whether the user has access to a certain resource is the standard way of doing this? Is there a way to do this as part of the itself query (e.g get an error from the DB itself)?
You might get a better answer by describing the requirements before you outline the solution.
Your design seems to describe an authorisation scheme. It looks fairly credible - I'd summarize it in natural language as:
A tenant is an account.
An account has many users.
A user can have
many roles.
Roles grant access to many permissions.
The system
maintains a list of sessions, mapping requests to users; this in turn
allows the system to check whether the user has permissions for a
given action.
Without knowing your requirements, that seems fairly reasonable. You may want to include a link from "account" to something your application recognizes as "tenant".
The big question is how you will use this data in your application. Checking permissions - especially fine-grained permissions - for each request could be expensive.
The specific solution here depends heavily on your application framework - many have built-in authentication/authorization models, and it's usually a good idea to use those built-in features.
For ideas on how to implement this, you could look at CanCanCan, an authorization framework for Ruby on Rails, or Authority for Laravel.
It's also not clear how the actual data in your system will be linked to an account - if your system tracks widgets, does the "widgets" table have an "account_id" column? If so, how does your application track who is and is not allowed to access that row?
It sounds like you're conflating database users with application users. In a SaaS product with a shared-schema model, individual users won't have direct acess to the database; instead, your application connects as a single user with appropriate rights on all objects it needs. What you're worried about is what areas of the application users can access and what actions they can take. This means you need to build your authorization model into your schema.
The simplest possible model has two levels of access: regular users and administrators. This can be represented with a users table having a tenant_id to associate individual logins with the correct client, and an is_admin flag. Your application then ensures that only users with the flag set can access administrative functionality. If your authorization model is more complex, design your schema appropriately (users may have a many:many relationship with roles, for example).
Note also that a tenant_id column is only strictly required for tables directly related to tenants; if you have a profiles table with a user_id, you can trace the relationship back to the tenant through users. In some cases it may make sense to add the tenant_id to avoid long join chains.
I am developing the application in which i have a super user concept. Super user is the user who has all the access for the application. So what my initial thinking is in user table the user with id 1 will be my super user. but how safe is this in terms of security concern ? is there any other logic which i can use to define super user ?
I have done more emphasis in coding side. I also implemented the roles and other access permissions, But what i need to to do is something like ghost user. Whenever he logged in he could be able to access everything like he is a father of application. for his access i shouldn't need to check any role conditions or access condition. is it possible ?
Thanks.
Why not work with roles? Make a column in your user table where you have 'SuperUser', 'Admin', 'ReadOnly',... Or perhaps just 0, 1, 2... and match it with a constant/enumerable in your code. Now you can easily change your super user, make multiple super users, give someone temporary super user rights, define other roles...
From the database point of view it is valid to define two or more users and grant more or less permissions to them, work with roles etc.. But as you said - it's about the application. So in parallel to the database security you need to consider application security in terms of:
which user may get which functions, menu items, web pages etc.
how can this be configured and parameterized, etc.
I personally put a bit more emphasis on the application side and less on the DB side. So thinking of e.g. PHP + MySQL, I have 2 DB users (operator, admin), but a database table within my application for each (application) user, assigning to them the operator or admin login for the DB and defining which parts of the application they get.
As a complement to the other answers:
Don't forget you could create users and grant/revoke permissions at DB level. I would not push for a 1-1 mapping between your application users and the DB users, but you could use that to implement "roles" and enforce permissions at DB level as an extra level of protection. This might be especially interesting if you have some users with "read-only" and/or "anonymous" access. This would prevent "escalation of privilege" due to a bug in you application code.
Super user is the user who has all the access for the application. So
what my initial thinking is in user table the user with id 1 will be
my super user.
In the Unix tradition, super-user is generally ID 0. This might improve code (maybe) and more important make it more understandable by programmers familiar with kernel/security coding.
But what i need to to do is something like ghost user [...] for his
access i shouldn't need to check any role conditions or access
condition. is it possible ?
I don't think this is a good idea to somehow "deactivate" all your security checks for one particular user. In order to improve maintainability and not clutter the code with permission-checking, as of myself, I would encapsulate all the code that need to check permissions in wrapper functions or objects, then I would use that wrapper in the rest of the application. Based on that, and if you implement "roles" at application level as someone else suggested, handling the "ghost user" shouldn't be too much of an issue.
I am rolling my own blogging system and I am wondering how to determine permissions and implement them in a blogging system?
What should be the permissions for a commenter, a blogger and an admin?
What is the best way to implement them?
You didn't mention what language/framework you're using. Django includes a very useful and complete set of permissions that you can get up and running with. I'd assume that there are a number of other web frameworks that do the same.
Therefore, my advice is to find a web framework that you like and think is fun (this sounds like a personal project after all) that will handle these kinds of things for you.
I'd go with a combination of a decoupled authentication component, that you can ask if the current user has the role X, and if so allow them to do the thing. That way you can leave the specifics of groups and expiry etcetera to the authentication component.
You could combine this with some specialized authentication for your blogging engine, eg. having a list of posters in the blog object, and always allowing those persons to make posts.
Give each user a "privilege" value and store it in the users table in the database.
for example:
0: plain user (can comment)
1: writer (can write new posts and modify his own posts)
2: moderator (accepts/deletes comments)
4: admin (access to all)
Use a combination of serverside sessions and cookies for logins.
For "advanced" user privileges, use bitmasks and create groups.
Bitmasking: for example, using previous values, user level 3 (2+1) would have both writer and moderator privileges.