I understand that in a role based access control system (RBAC), roles within an organization are represented by roles. Each role then contains different tasks (access permissions) to do things within the application. Each user in the organization is then assigned one or more roles depending on what his job responsibilities are.
What I don't understand is whether groups exist in in RBAC. I am currently designing a system where users can be assigned one or more roles. Users can then be placed into 1 or more groups (for example, programmers, people on floor 12, people who wear metallica t-shirts, people who are part of the chess club, etc), but the groups do not contain any roles or access permissions.
Do groups even exist in RBAC? If so, should groups contain permissions and roles which are inherited by members of the group?
Well, I cannot tell about the theory aspect too much but I can say that at least with RBAC implementations that I know this abstract 'group' can be achieved using inheritance between roles. Meaning, you could have role prj_A_developers (which lets say can be allowed to 'comit' files, change issues in the task management system, etc), prj_A_testing (lets say, which could change issues to certain status (QA passed/rejected/reopened/etc), etc...).
Now you could have prj_A_admin which is a role that would be a parent of prj_A_testing and prj_A_developers. User's assigned this role will inherit all of this role's child elements - be they other roles, direct 'tasks', etc.
The inheritance is somewhat in the opposite direction is you're used to object oriented programming 'inheritance' concept but I think its clear nevertheless.
I think that using this inheritance you can achieve this 'group' concept.
Related
I have a Workshop module that addresses different user groups. Hence I would like to surface different pages to different groups by default. Indeed I see an option to control the default page selection based on a variable.
My first thought was to split my users into different Multipass groups and then have a function that queries a given user's Multipass attributes for membership in certain groups. However, I don't seem to be able to check for group membership in this way, probably for security reasons.
What would be the recommended way to go about this?
The Foundry security primitives for resource visibility (as opposed to data visibility) are largely aligned at the resource level rather than within a given resource. (The one exception I know of that's relevant is within the Object View configuration, where you can set visibility on different Tabs).
An approach also depends on if the resource visibility is a matter of permissions (i.e. should a user outside a given group not see a given page - again separate from the permission to see any data within that page) or one of convenience (i.e. all users can see all the data and all the interfaces, but each given group should simply start in a separate place.
In the former case, (i.e. security) I think it'd be best to make a separate Workshop app for each team and then maybe wrap them all into a Carbon workspace. The resource visibility, configured as the actual resource permissions in Compass, should determine if it appears in the Carbon workspace for the user.
If it's just for convenience, you could build all the pages in a single Workshop app, then make a separate Carbon workspace for each team and set a parameter to determine the default page, as you mentioned.
Given an application that shows objects (e.g. films) according to certain user permissions.
The general permission to show or create objects is implemented as RBAC with roles and permissions.
The specific permission to access an object with certain attributes (e.g. a film with the attribute “drama”) should be implemented with memberships. That means the object doesn’t have the property “drama”, it is a member of the group “drama”. If the user and the object are members in the same group, the user has the specific permission to access this object. There can be different groups for showing, creating or deleting an object, like a simple viewer group or some kind of editor group. Furthermore there is a table that specifies which group types are relevant for certain actions on certain objects. For example relevant groups for the action “show” on the object "film" could be “genre” and “age” (film's suitability for certain audiences).
The reason to implement it in the described way is to have great flexibility without touching the code. Changes to groups can be processed in the database.
General database design:
Example: The film "The Revenant" is a member of the groups "genre:drama" and "age:18". The user can access it, if he is a member of these groups too.
Does this sound like a good approach? Are there any existing solutions that are similar to this approach? Does it have major drawbacks (e.g. too many database queries - there may be several hundred users every day)?
Please share your thoughts on this issue with me - the choice of "drama" as category for the example is not a coincidence ;) I just dont know if this is a dead end or if I am heading to the right direction. I stuck at this point for quite a while.
At least you have a good sense of humor :-)
Your approach sounds fine. So long as you keep the number of parameters low, then you can get away with role-based access control (RBAC) and a few additional parameters e.g. group membership.
But in the long run, if you want to implement business-driven authorization (access control), you need a way to do this independently of your code: you do not want to rewrite your app code every time there is a requirements change.
To do so, there is an access control model called Attribute-Based Access Control (ABAC) that will let you define your authorization policies independently of your code.
In ABAC, you have the following concepts:
an architecture which defines a policy enforcement point (PEP) and a policy decision point (PDP). The PEP sits in front of (or within) your app. It intercepts the business requests (e.g. a request to view a film) and sends an authorization request to the PDP. The PDP is configured with policies. Based on the request the PDP will reach a decision: either yes, Permit or no, Deny.
a policy language: the policy language is attribute-based (hence the name ABAC). This means that you can use any number of attributes (e.g. user role, user id, user group memberships, but also user age, user location, user subscription as well as resource attributes such as movie rating, movie category, movie price...)
a request / response scheme: this is how you ask for authorization. It is essentially a yes/no flow. "Can a user do X?", "Yes they can."
There are several implementations of ABAC out there - some of which are framework-specific e.g. CanCanCan. XACML and ALFA are two approaches that are not tied to any particular framework. You can choose from open-source and commercial implementations of either language e.g.:
Open Source: SunXACML, ATT XACML
Commercial: Axiomatics Policy Server
I need to express
A passing grade in a pre-requite class, in order to access the next one.
An exemption policy to the above, where the professor can override the requirement.
A student can only have one such exemption in a given span of time (year)
Students must be older than 21
Students can only be enrolled in 3 eligible majors
Or similarly, the NY DMV has a complex set of documents and prerequisites in order to obtain a driver's license.
Question
What abstract syntax will allow me to describe the rules listed above, in a platform neutral way?
Use case
I'm developing an app where people define eligibility rules to access certain data. Those rules may have prerequisites, or key/value ranges to access it.
I am thinking XML, but that might become cumbersome. Just as swagger has become the "easier way" to handle web services, I'm looking for a similar "easy" syntax to handle these rules.
I have a couple of business-related domains like Purchase, Marketing and Economy. Having the models arranged into a namespace* for each domain would be nice, but there are some entities cutting across domains, like an Item. How to organize those cross-cutting objects?
* = As in C#/Java/Python namespaces.
Since you have the concept of Bounded Context, you should not share domains between the namespaces. Actually, you should have one Item for each namespace that requires it, and each of those Item should have it's own fields as required by the context it is included.
As Eric Evans said, it is not a big deal replicate data in order to never share the same domain between contexts, but only data.
Determining whether you have the correct design will require some experience with the domain so you should check with your domain expert.
You may very well require a Shared Kernel for classes that are cross-cutting. You'll have to be careful that you do not abuse the shared kernel by placing too many generic / logical classes in there.
To add to what #rafaels88 has answered you may need to create a BC specific domain construct where some logical entity exists. For instance, a User in the Identity & Access Control BC would be an Author in one BC but perhaps a Supervisor in another.
You could also duplicate an AR in one BC as a VO in another. A Customer in the CRM BC may be the system of record for a customer and, therefore, contain a whole lot more information. In the Order BC, however, a Customer VO may only contain an Id, Name, and perhaps Address (for example).
So you will need to evaluate what type of object you have before deciding where to place it.
The site what.cd uses a type of invitation chain whereby if I invite a friend to the service and they break the rules and loose their account I also loose my account as does the person who invited me and so on.
What is the best way to keep track of this kind of invitation inheritance, Just a table cell linking the user to the user who invited them via their ID or something similar?
If you retain the "inviter" information only on the "invited" model, you have essentially created a singly linked list.
http://en.wikipedia.org/wiki/Linked_list
For the described purpose, the features of such a data structure work reasonably well.
If you think you'll ever need to look at all the people that a person has invited, you may want to keep track of both pieces of information for easier lookup. Alternatively, you could build a table of "invites" that is indexed by both inviter and invitee, which would allow pretty flexible querying.