After reading http://en.wikipedia.org/wiki/Role-based_access_control and seeing the way people are building authorization/access control, this question came to my mind "Why we are checking roles of users when checking if they are permitted to do X rather than checking their permissions?"
This is what I understood, Users have Roles, Roles have permission and this is how a user can have permissions (A user cannot explicitly have permissions assigned to it, it gets its permission by having roles)
And I think it makes sense to check for a permission like "AddUser" when processing a request for adding a user but in .Net library and also in a lot of examples in RBAC we see that they check for Roles. Like they check if the user is in the role of Administrators rather than checking if he/she has the permission "AddUser".
Why? It kind of makes more sense to me to check for permissions.
Can someone please illuminate me here?
Thanks
You are correct - checking for roles in applications instead of permissions is not Role-Based Access Control. Spring security and many other prominent access control mechanisms propagate this security anti-pattern. For correct RBAC usage - perform permission checks in your policy enforcement logic.
If we simplify the RBAC system, RBAC is a method of restricting access to 'some sources or applications or some features of applications' based on rights of users of organization. Here, restrictions can be by means of multiple permissions, those are created by administrator to restrict access, and these permissions collectively represents a role, which will be assigned to user.
You might be partially true for your case :)
But consider a case of complex application, where there are 200 permissions, and administrators need to define few set of permissions to represent specific behavior via role, which will create some complex kind of customization and re presentation of the form for that user.
Here it might be required to check via ‘HasRole(‘SomeRole’)’ method to define exact behavior of user.
So, my answer would be, both methods are equally important in RBAC.
1) HasPermission(‘permissionName’)
2) HasRole(‘roleName’)
A good RBAC solution should provide both these methods. There are such tools available in the market, you can check for them.
Related
I need to implement an authentication system where a super admin can create multiple different roles with different rights for users. That is, not a system with a set number of roles, but have the option to create as many roles with different combination of rights as the superadmin wants, and then assign them to new users. Also with the option of editing these roles, deleting them etc. I'm fairly new at Node Js. Is this something hard to implement? Are there any articles/videos I can read/watch, to start understanding the process? Where do I start? I'd really appreciate any help. Thank you in advance!
You're thinking about Role-Based Access Control (RBAC). I have actually implemented this in Node.js before, feel free to checkout how I implemented it here: https://github.com/JLCarveth/nodeblog.
It's relatively simple. You need a table for tracking roles. Each role has 0 or more permissions. These permissions can be comma-separated strings, or IDs referencing a permissions table. Each user is then assigned a role.
Each route is protected with a middleware that specifies the needed permissions. If a user accesses this route, check that they have the necessary permissions and continue, reject if not.
How can I group the permissions using Picketlink[1] in such a way that I can assign one or more especific Groups of permissions to a Role ?
Thanks in advance.
Have you read the official documentation before asking?
If yes, showing us your efforts would make it easier to help you.
If not, please take a look at this.
I'm asking you this for a reason: I think you've misunderstood the concepts of Group, Role and Permission.
A Group is used to manage collections of identity types. For instance, Alice and Bob could be User identities which are member of "employees" group.
The Role is used in various relationship types to designate authority to another identity type to perform various operations within an application.
For example, Trent could be an User identity with the role of "moderator".
Permissions can be assigned to User, Groups and Roles.
It's up to you to choose in which way(s) to manage permissions in your application.
Access control can be based on Groups ("only employees can use this method"), Roles ("only moderators can delete posts") or even Users ("I am the only one who can eat bacon here!"). This can be done with the use of the Permission API, as explained in the documentation linked above.
Trust me, I know it could be not so simple at first - but please make an effort; then feel free to ask anything :)
Let us know!
Answer to comments
As you said, PicketLink's Permission API only lets you assign one permission at a time.
Anyways, note that even if you have to grant one permission at a time, this doesn't mean you can't grant multiple permissions to an instance:
permissionManager.grantPermission(adminRole, resource, myPermissions.CREATE)
permissionManager.grantPermission(adminRole, resource, myPermissions.DELETE)
permissionManager.grantPermission(adminRole, resource, myPermissions.UPDATE)
grants 3 permissions to every user that has adminRole and needs to invoke resource.
We want a policy whereby permissions must be managed through sharepoint groups. We want to allow site owners to add and remove users from groups in order to manage their permissions to resources, but we don't want them to be able to create the groups or to add user's explicitely to the resource. Is this possible? I don't see any permissions that relate to restricting explicit access to a resource as opposed to access via a group, but I could be overlooking something.
No, this is not possible out of the box. Either a user is able to manage permissions or not, there is no more granular settings to only allow managing in groups.
Unfortunately there also isn't an event receiver you could use e.g. PermissionAdded or PermissionModified, so the only way for you to check these things would be to write a timer job which checks every X minutes whether anything has changed you didn't want to change. Or another possibility is to not allow users to manage permissions, but write your own permission manager which only allows working with groups. Then you could use RunWithElevatedPriviliges to perform your actions.
I have a browser:page setup in Zope, and I have:
permission="zope2.Public"
My question is what should I change this to in order to allow only Plone administrators access, and/or logged in (non-administrators) access to this page?
On Zope, you control access to views via permissions, but to permit someone to access a given permission, you must grant such permissions to a role.
Anyone in the Plone administrators group has been granted the Manager role (on Plone 4.2 that'll change to the SiteAdmin role) generally have access to most permissions. There is also the automatic Authenticated role, which is given to anyone that has been authenticated (has logged in). The latter doesn't have many default permissions though.
Permissions are generally named after the action you want to permit. If your view's goal is to manage some aspect of your Plone portal, then the cmf.ManagePortal permission is probably what you want. You can check the full list of default permissions if you need another one.
There is some excellent documentation on how security works in Plone, which includes information on how to define new permissions too, and how to assign existing permissions to roles.
permission="cmf.ManagePortal"
This setting is about permissions not about roles.
I am developing a desktop application and would like to lock down certain parts for certain users - admins, guests, users, etc. What sort of design patterns are there for implementing a such a permissioning system in a desktop? I can only think of three, but I don't know what they're named (or if they are),
1) Each action performs
it's own security checking, querying
a session or a database for the
appropriate user permissions (common among simple web apps)
Each
action checks with a centralized
permissioning system saying "Does
user have x permission", which
returns some status
Before an action is even attempted, it is intercepted by a dispatcher, which performs some lookup of the action to the applicable permission and user's permissions, and prevents the action from even starting when not allowed
I think you were looking for RBAC (Role based acess control). I think there is no clear difference between the concept of access control in desktop application and access control in web application. The difference is only in the implementation. You might want to check out Spring Rich Client Platform which are integrated to Spring Security.
Outside the Spring Security, the design patterns of RBAC that I could recall are :
Each user might be directly associated to one or many roles
Each role has one or more permission
Each user might belong to one or many groups
Each group has one or more roles
Other patterns that might be of interest is ACL (access control lists) that we accustomed to in Windows based systems :
Each object has an ACL, which shows which user or which group were given access to the object
A child object inherits the parent's ACL
I have already answered similar question for difference between ACL and RBAC, you can check it here.
What is the exact difference between ACL and RBAC in general?