i'm developing a Symfony2 app which involves users with hierarchical roles. Right now i can register, recover and login into the application without issues as i've implemented roles and users as described in Symfony2 docs.
At that point, i've developed some CRUD's in order to be able to manage objects in the application but in the current implementation i must check current user roles in order to let him or not run "selected" actions. I mean, in each controller i get security context, then user object and check permissions then sometimes i need to check the current user is the owner of the data - i.e if an user has clients i need to check url passed variables/id/whatever are owned/belongs the current user - and then deny access or not.
So, as far i'm used to and feeling comfortable developing the application as mentioned above i'm wondering is there is a better approach or a Symfony2 approach where i can manage roles and data in standard or more understanding way so future developers doesn't need to go through each if or check inside controllers+actions. I also would like to note i would be able to customize how data or objects are fetched or loaded so i can optimize sql's run in background.
Symfony ACLs is exactly what you need. You can assign access rights (i.e. OWNER, EDIT, VIEW etc) to a single user or assign to all users with a certain role (or both).
If ACL is too complex for your needs, than an alternative approach would be to use a custom Security Voter.
Related
I have a web-application secured with Keycloak. To keep the description of the service short, we have Users and Documents as entities in the service. The users may have access to none or more documents and may edit or read the document.
Currently we have roles such as Admin, EndUser, Developer etc. We then keep a database table outside of Keycloak that maps the documents to users and what user has what access level to what document. All our end-users have the EndUser role in Keycloak. Every single time an EndUser tries to read/edit a Document, we have to make a lookup in the database table for authorization.
We would like to migrate that table to Keycloak. As I understand it I basically have two options:
Create a lot of roles, two for each document with names such as doc_read_[DOCUMENT-ID] and doc_edit_[DOCUMENT-ID] and so on. Then assign the correct role to the correct user. The downside here is that the number of roles will grow A LOT. Also, the number of roles attached to a user will be very large.
Create a group for each document, with the name of the document id. Have different sub-groups for read/write and then add the users in the correct groups. The downside is that the number of groups will be very large. Also, I will rely Authorization on group names, so the list of group names has to be mapped to the token.
I do not want to add a user-attribute with the document-ids to each user. With this approach I can not get an overview of a document and see what users have access to a given Document.
What is the best practice here? Are there any other solutions to solve this issue? This must be a very common setup.
This is just my opinion.
From what I understand both solutions are suboptimal, adding a role per document is unnatural and too finer grain. And as you already mention this would lead to too many roles that probably you will have to add them into the token.
I would personally use Keycloak just for the authentication part and do the authorization part in the backend. I would also try to group the documents in a way that reflect which user roles are allowed to manipulate them.
Alternatively you might try to use Keycloak's Authorization features to handle that use-case, however I have never used it, so there is not much that I can say about this option.
In my opinion what you want to achieve is something that is very tied to your business logic, I wouldn't recomend depending on keycloak to do it. Your token would constantly grow and management would be a nightmare really.
I see no problem in having a service with good cache to lookup permissions, the bulk of the data won't change much over time.
I'm new in sails and I have a PostgreSQL database. I want to implement a user management. I have some users, each user can be assigned to multiple groups, each group can be assigned to multiple roles and each role can have some permissions! I checked document of sails permissions but I didn't get it well. for example, I want some groups not to be able to add or edit users or I want some roles not to be able to see user management menu. what should I do?
I may be a little late to post answer here, But there is a way available for access control in sails.
Sails has built-in policy based access control system.
Policy
Policies in Sails are designed for controlling binary ("yes or no") access to particular actions. They work great for checking whether a user is logged in or for other simple "yes or no" checks, like whether the logged in user is a "super admin".
But for Dynamic permissions,
Helpers
Link for documentation of helper, access-control-and-permissions
For more complex permission schemes, like those in which a requesting user agent's access rights depend on both who they are and what they're trying to do, you'll want to involve the database. While you can use policies to accomplish this, it's usually more straightforward and maintainable to use a helper.
One can find example here,
Using helper for access control and permission
So you can use postgreSQL for storing roles and their respective permissions and retrive user role and check permission on need in policy/helper.
Sails.js has no ACL managment
You have to use 3rd party middleware like roles or role-acl
Sounds like what's most important is the association of the user to the permission (or role). So you could consider making models for each tier (user, role, group) or you can make a model for each kind of group and/or role (though that sounds like it could get out of hand) and then have the models associated with eachother. Then in the view action you can set what the permissions are (aka what groups or roles are allowed to see that page). Also in the markup you can set who is allowed to even see a button.
For example:
isSales could be a boolean on your group or roles model for a user that is in sales and they are allowed to see the edit button to change the price of something. So in your markup you have:
<div v-if="user.isSales">
<button> Edit price </button>
</div>
I'm developing an app using Parse.com for BaaS. Aside from regular security checks, it's my understanding/philosophy that part of security is to assume someone HAS broken in, and then limit the amount they can access/delete/mess up.
One way I'd like to do this is to have a per-user rate limit on certain API requests. I can imagine a sort of naive method where I keep a list of who has accessed recently and when, and check that list before allowing a request of that type to go through (I'm thinking beforeSave for various custom classes).
Is there a better, ideally built-in way?
Though Parse.com doesn't have options for configuring this, parse claims that they keep track of suspicious activities and attempt for DDoS attacks are monitored. But not sure to what extend this is possible, because this specific problem is scenario wise relevant/irrelevant.
You dont have an option to do user level rate limit, but they will report any suspicious activities found like redundant hits from same device.
As given in the Parse docs here, They support two levels of permissions, Class level (via Data browser) & Object level (using ACLs)
Configuring class-level permissions
Parse lets you specify what operations are allowed per class. This
lets you restrict the ways in which clients can access or modify your
classes. To change these settings, go to the Data Browser, select a
class, open the "More" dropdown, and click the "Set permissions" item.
Class level permissions is a manual way of giving access to specific users or roles on a class.
In your case, you might probably need object level permissions based on Access Control Lists(ACL).
Access Control Lists
The idea behind an ACL is that each object has a list of users and roles along with what permissions that user or
role has. A user needs read permissions (or must belong to a role that
has read permissions) in order to retrieve an object's data, and a
user needs write permissions (or must belong to a role that has write
permissions) in order to update or delete that object
Create a new role and add list of users to that role who can access. Then set an ACL like this on the other objects.
{ "role:YourRoleName":{"read":true, "write" : true}}
You can now dynamically add or remove users in that role without updating individual objects.
I am developing a desktop application and would like to lock down certain parts for certain users - admins, guests, users, etc. What sort of design patterns are there for implementing a such a permissioning system in a desktop? I can only think of three, but I don't know what they're named (or if they are),
1) Each action performs
it's own security checking, querying
a session or a database for the
appropriate user permissions (common among simple web apps)
Each
action checks with a centralized
permissioning system saying "Does
user have x permission", which
returns some status
Before an action is even attempted, it is intercepted by a dispatcher, which performs some lookup of the action to the applicable permission and user's permissions, and prevents the action from even starting when not allowed
I think you were looking for RBAC (Role based acess control). I think there is no clear difference between the concept of access control in desktop application and access control in web application. The difference is only in the implementation. You might want to check out Spring Rich Client Platform which are integrated to Spring Security.
Outside the Spring Security, the design patterns of RBAC that I could recall are :
Each user might be directly associated to one or many roles
Each role has one or more permission
Each user might belong to one or many groups
Each group has one or more roles
Other patterns that might be of interest is ACL (access control lists) that we accustomed to in Windows based systems :
Each object has an ACL, which shows which user or which group were given access to the object
A child object inherits the parent's ACL
I have already answered similar question for difference between ACL and RBAC, you can check it here.
What is the exact difference between ACL and RBAC in general?
Is user profiles an appropriate place to store things like number of items per page in a custom grid user selected? (I you can store it in the view, but it won't be per user this way).
My first though was to store these settings in user profiles, but there are problems with access permissions for programmatically creating user profile properties boiling down to you either have to give every user 'Manager User Profiles' permission in SSP or you have to run the application pool under a domain user, not NETWORK SERVICE. Both scenarios are unrealistic for me, so I'm now looking for another way to store such 'per user' settings.
Thanks!
Edit: I'm now considering ASP.NET profile mechanism with an additional DB to store user properties.
Given that the information is not sensitive a simple database with values stored against AD login should suffice.
And as you have the ASP.Net user database already, storing the information there would be the best option.
Maybe a Global List, that is only accessible for the SHAREPOINT\SYSTEM User and that you can then Query in a SPSecurity.RunWithElevatedPrivileges Function.
Disadvantage: You require Custom code to read/write to that list.
Cookie?
Sure they have limitations, but it is fairly easy to create the control to run javascript to add/edit the value