This is linked to this question which seems to have asked a while back. Security implementation in a project that is adhering to basic principles of Domain driven design. let me give an example
Banking System:
Use Case: A new bank deposit is being made and requires approval as it is first deposit
a. Clerk can auto authorize if the deposit amount is <5000
b. Manager can be of two types - Bank manager / Account Manager. ONLY Account manager can authorize any accounts that have deposit >5000
My concerns are as follows (Pls correct if the concern itself is correct)
Not sure where should i build this following logic - takes care of checking whether the logged on user has authorization to do certain things taking in to account his title - (this case Account manager). Authorizing is a use case, but the security layer seems to have intimate knowledge on the domain object
In general Authorization (not authentication). I know that Role Based authentication would help, but the question is "where" - in which layer and the call flow. Should the UI layer call on some security layer or would the domain layer validate itself for all possible combinations ?
Please help. Its very confusing.
Bump to see if this gets experts notice
Cheers
Security is a cross-cutting design feature which can affect all classes, methods and properties.
From a DDD perspective you would go with specifications and roles.
Where and how those specifications get implemented comes down to your architecture. You could go with aspects, you could go with in-line calls, events, etc.
Here are some links I would check out regarding security and roles:
Security
Roles
RBAC
Related
How do companies like Facebook and Google implement privacy controls at scale? For example, Facebook has a select audience type which includes public,friends, "friends except...", only me, specific friends, and even custom. From an implementation and design standpoint, how do these companies handle this? Are they defining rule bases access controls, are they manually coding in these features, do they have a privacy model they use, or is it a hybrid approach? If anyone has links to public available design docs, conference links, white papers, and even research papers, please feel free to share. Every time I try to search for how company "X" does privacy controls, I get the "Business" talk on privacy or access controls as it relates to data centers which is not what I'm looking for.
In this patent of Google they describe a "User privacy framework" which does all the things you mentioned.
It uses a database which stores rules and privacy levels for each user.
A authorization server manages this database and evaluates requests for user data.
If user A wants to access data of user B, the authorization server checks if the request is allowed or violates rules or privacy levels.
The request is then answered or rejected.
See this flow chart from the patent:
Flow chart (Sorry, I am not allowed to post images yet)
So what are privacy levels and privacy rules?
Rules are conditions which need to be met if a user requests information of another user. I couldn't find an example in the patent, but I suspect a rule could be something like "Is user A blocked by user B?".
Privacy levels seem to be more general than rules. For example the level "semi-public" allows another user to access the requested information if no rule forbids it.
The level "private" allows storage of the information on the authorization server but forbids access of it through other users.
The level "no access" forbids even the storage of the information on the authorization server.
Obviously I have no idea if they really use this on the large-scale. But it is certainly a possible implementation and for me it seems plausible to do it with databases and rule sets.
Hope this helps. Maybe you find even more patents which describe similar frameworks.
Suppose I am writing software for an insurance company. I use DDD and have a bounded context with entities related to the customer account, address, and related information. If a customer logs in and makes changes to these entities it is straightforward.
But as it is, there is another portal, which the internal support staff uses. Now if a customer calls in to update their account information (not a policy but phone number, address etc.). What is the best and clean way to do it?
Make a call to bounded context used by the customers (HTTP etc).
Allow making changes from the internal portal (probably modifying data across the database/schema boundaries).
Raise a domain event about changed object, and handle it on the customer side application (again this is an event related to a domain object in another context and we are not writing to database from the internal portal).
Bounded Contexts exist because they have a meaning in the domain and a reason to exist in your system. They don't exist to serve a specific type of user or a specific client application. In fact, it's most common that a Bounded Context serves multiple types of users and multiple client applications, especially in software systems with a customer-facing application and a back-office.
In your Insurance domain, both the customer and back-office users will directly interact with the CustomerManagement BC as this BC is there to serve both, not only the Customer. The same way that both the customers and back-office users will be able to see the customer's policies, their coverage, etc.
Technically, the implementation will depend on your architecture. Both client applications could talk to the same API and even share endpoints. Or you could provide an API per client, and these APIs would directly talk to the same BC (either calling the same code or by making remote calls to the same remote service).
You already answered your questions if your business allows user to directly change info about customers directly by phone call this is the case your system should allow to do it. This is what about DDD to focus on the domain and domain is business logic from your example I see the context customers management and some other contexts that use this info but if some one requires to change info about customers this is the business case and system should allow to do it!
In the systems, there may be data that is restricted in nature.
Sometimes access to specific entities should be easily restricted or granted based on user or group membership.
What is the best way to implement this in the microservice architecture?
#1
Should access control, managing permissions etc. be the responsibility of the microserive itself? Developers will have to implement access control, store, and update permissions for every service. Seems like not very robust and error-prone approach.
#2
Create dedicated microservice handling permission management? This service will be called by other microserives to check access permissions for each entity and filtering entities before returning results. Centralized permissions storage and management is an advantage but microservice will have to make a call to "Permission Service" for each entity to check access rights what may have a negative influence on performance. And developers still have to integrate access checks into their services what leaves space for an error.
#3
Make access control responsibility of the API Gateway or Service Mesh. It is possible to think of an implementation that will automatically filter responses of all services. But in the case when the microservice returns list of entities permissions should be checked for each entity. Still a potential performance problem.
Example
Consider the following synthetic example.
Healthcare system dealing with test results, X-Ray images etc. Health information is very sensitive and should not be disclosed.
Test results should be available only to:
patient
doctor
laboratory
Attending doctor may send the patient to another specialist. A new doctor should have access to test results too. So access can be granted dynamically.
So each entity (e.g. test results, X-Ray image) has a set of rules what users and groups are allowed to access it.
Imagine there is a microservice called "Test Results Service" dealing with test results. Should it be responsible for access control, manage permissions etc.? Or permissions management should be extracted to separate microservice?
Healthcare system may also handle visits to a doctor. Information about patient's visit to the doctor should be available to:
patient
doctor
clinic receptionist
This is the example of a different entity type that requires entity level access restriction based on user or group membership.
It is easy to imagine even more examples when entity level access control is required.
I came to the following generic solution.
ACL security model is used. Each object in the system has associated set of permissions. Permissions defines who and what actions can perform on the object.
Microservices are responsible for entity-level authorization and filter objects in responses based on permissions of the objects.
Central Access Control Service is responsible for the creation, update, and deletion of permissions for all objects in the system. Access Control Service database is the primary store of objects' permissions.
Permissions stored in microservices databases are synchronized with Access Control Service database using event-carried state transfer. Every time, permissions are changed an event is sent to the message broker. Microservices can subscribe to these events to synchronize permissions.
API Gateway can be used as the additional protection layer. API Gateway can call Access Control Service directly (RPC) to check response objects' permissions or load recently revoked permissions.
Design features:
A way to uniquely identify each object in the system is required (e.g. UUID).
Permissions synchronization in microservices are eventual consistent. In case of partitioning between message broker and microservice permissions will not be synchronized. It may be a problem with revocation of the permissions. The solution to this problem is a separate topic.
Looks like security is a part of business logic here. In both examples.
Then security could be a part of data scheme.
For example,
Patient can see his tests:
select * from test_result where patient_id=*patient_id*
Doctor can see all test from his medical department:
select * from test_result where branch_id=*doctor_branch*
I believe that to have separate MS for access control is a really bad idea and could lead serious performance problems. Just imagine situation that somebody with zero entity access tries to fetch all entities each time :) You will always need to handle larger result sets than actually needed.
Firstly, this is very bad idea to have a separate (per microservice) security model. It should be single always cross-cutting all application, because it can lead to a hell with access management, permissions granting and mapping between entities in different microservices.
In second, I assume that you are wrong with understanding how to organize microservices..? You should dedicate the principle of splitting functionality into microservices: by features, by domain, etc. Look at Single Responsibility, DDD and other approaches which helps you to achieve clear behavior of your MS.
So, in best case, you should have to:
Choose right security model ABAC or RBAC - there are a lot of other options, but looking at your example I guess the ABAC is the best one
Create separate MS for access management - the main responsibility of this MS is a CRUD and assignment of groups/roles/permissions/attributes to the people accounts.
Create separate MS for providing only permitted health information.
In third, how it works?:
With ABAC you can setup hierarchical roles/permissions (based on groups/attributes) - it helps you to resolve a delegation path of who is permitted to the data
Setup authorization (via auth-MS) and store the list of permissions (in session, cookies, etc)
Check access for a given user for a needed data in health-info-MS. Here we have several options how to do this:
If you use memory-grids (hazelcast, coherence), you can easily create filters with predicates based on security attributes.
If you're using SQL (hibernate, plain SQL, etc.) you should generate queries to return only permitted data - add security specific criteria to the where clause
Few more details about SQL queries with security check in where: before the SQL execution (if hibernate & spring is easy to do with spring-method-auth hook) you should resolve all permissions assigned to a user - you can do this with call to auth-MS.
Example
We created CRUD permissions for TestResult entity - VIEW, EDIT, DELETE.
The role DOCTOR can see any TestResults - so, it has VIEW permission
The role PATIENT can see only his/her TestResults
So, you create a business rules which provide the correct where clause for each business role (DOCTOR, PATIENT, LAB, etc.) and at the end the SQL request would be like:
For patient who has assigned VIEW permission:
select * from test_result where id=*patient_id* and 1=1
For patient who hasn't assigned VIEW permission:
select * from test_result where id=*patient_id* and 1!=1
NOTE: In business rules we can add 1=1 or 1!=1 to permit/restrict query result
This might be more of an industry question rather than a specifically technical one, but the answer must consider the technical feasibility. I've tried to make the question as pointed as possible. I am working on a new web application that must protect social security numbers, bank account transactions, etc. Security is essential, as is the appearance of security. The company I work for, however, is small. Does it make sense to rely on third-party issuers (e.g., Google, Facebook, Twitter, Yahoo), which are certainly popular but as social media do not convey the seriousness of, say, the banking industry? Or can I realistically expect to implement OAuth/Owin/Katana as securely as these third parties? Is there another option that is both reliable and popular, without being driven by social media? Or does it make the most sense to implement security myself? I do not have a heavy security background, but am willing to learn it if forms authentication makes the most sense for my situation.
Your question is not specific enough to give you concrete advise. But creating your own security is never a good idea.
Whether you should use social media identity providers depends on how much you need to be certain of the user's identity. If the user has to enter all that information him/herself, then you only need to make sure that only that account has access. A social media account will work fine in this case. You can't be sure that the user is who he says he is, but that does not matter as he can only see information he entered himself.
If however this SSO and bank transaction info is coming from another source, you'll need a identity provider that gives you more guarantees about the user's identity (for example the bank's logon server)
I am developing an integration with REST Api with yodlee, and I am worry about security considerations, and would like to hear about the best practices concerning security with the server that talks with yodlee via REST API.
There is a method that returns the users password in plain text, getLoginFormCredentialsForItem()
This worries me a lot and I see that I have to isolate this server with the application server.
Do you have any recommendation to confront this scenario?
Thanks for your feedback on this. I've reviewed this with our Yodlee Security team and they've provided the following response:
The Yodlee Platform stores consumer credentials in a reversible format so that we can use those credentials on behalf of, and as authorized by, the consumer in order to retrieve their data for use by the application. Yodlee has enacted multiple layered security controls as defined by US banking regulations, industry standards (e.g. ISO2700K, PCI) and good industry practices to protect these credentials and the data retrieved by them. When Yodlee deploys with a client, access to the APIs are restricted via network and API level access control lists to complement our and our client’s security controls. However, in this Developer Portal, all APIs are white-listed so that developers can explore the full feature set of the Platform.
We're a longstanding platform with over 10+ years of security and bank-level data audits under our belt and we do not take these or any security concerns lightly. As part of our audit process, we will review the need and use of this particular API and make the appropriate determination whether to modify or remove this API completely from use. We thank you for bringing this concern to our attention.