Storing Authorization Rules in Database

Storing Authorization Rules in Database

0fe18dfd87b3e48c0a45280e07cf96c6?s=128

Giovanni Sakti

March 03, 2016
Tweet

Transcript

  1. Storing Storing @giosakti Authorization Authorization Rules Rules In In

  2. @ @gio giosakti sakti

  3. None
  4. Enterprise Software Development Workshop Center (April-2016)

  5. Enterprise Procurement System

  6. http://www.meetup.com/jakartarb/ http://tinyurl.com/id-ruby-slack

  7. Authorization Authorization

  8. Authorization Authorization is not Authentication

  9. Identification Authentication Authorization Access Approval Accountability Audit Access Control

  10. Authorization Authorization

  11. None
  12. None
  13. Authorization Authorization is quite complex Turns out...

  14. Access Control List (ACL) Discretionary Access Control (DAC) Mandatory Access

    Control (MAC) Role-Based Access Control (RBAC) Intent-Based Access Control (IBAC) Emotion-Based Access Control (EBAC) Attribute-Based Access Control (ABAC) Access on Responsibility ADGLP (Microsoft) Host-Based Access Control (HBAC) XACML Break-the-Glass Authorization Delegation Model Authentication-based Delegation Authorization-based Delegation
  15. Access Control List (ACL) Discretionary Access Control (DAC) Mandatory Access

    Control (MAC) Role-Based Access Control (RBAC) Intent-Based Access Control (IBAC) Emotion-Based Access Control (EBAC) Attribute-Based Access Control (ABAC) Access on Responsibility ADGLP (Microsoft) Host-Based Access Control (HBAC) XACML Break-the-Glass Authorization Delegation Model Authentication-based Delegation Authorization-based Delegation Lattice-Based Access Control (LBAC) Identity Driven Networking Privilege and Role Management Infrastructure Standards (PERMIS) Model-driven security (MDS) ... ... etc etc
  16. Access Control List (ACL) Discretionary Access Control (DAC) Mandatory Access

    Control (MAC) Role-Based Access Control (RBAC) Intent-Based Access Control (IBAC) Emotion-Based Access Control (EBAC) Attribute-Based Access Control (ABAC) Access on Responsibility ADGLP (Microsoft) Host-Based Access Control (HBAC) XACML Break-the-Glass Authorization Delegation Model Authentication-based Delegation Authorization-based Delegation
  17. None
  18. None
  19. User Role Permission Username Password Name Name

  20. # Precondition fulan = User.create!(username: "Fulan") admin = Role.create!(name: "Admin")

    read_active_project = Permission.create!( name: "Read Active Project") assign_permission(admin, read_active_project) assign_role(fulan, admin) ## Assume there's a model called Project
  21. # If using CanCanCan ## in ability.rb user.permissions.each do |activity_permission|

    case permission.name when "Read Active Project" can :read, Project, active: true end end
  22. # If using Pundit class ActiveProjectPolicy < ApplicationPolicy class Scope

    < Scope def resolve if user.permissions.collect(&:name).include? "Read Active Project" scope.where(active: true) else raise "Not authorized!" end end end
  23. # If using CanCanCan ## in ability.rb user.permissions.each do |activity_permission|

    case permission.name when "Read Active Project" can :read, Project, active: true end end # If using Pundit class ActiveProjectPolicy < ApplicationPolicy class Scope < Scope def resolve if user.permissions.collect(&:name).include? "Read Active Project" scope.where(active: true) else raise "Not authorized!" end end end
  24. None
  25. Create our Create our own DSL own DSL Domain Specific

    Language
  26. Selects instructions Joins instructions Filter instructions (where) Parser SHQL

  27. ## in one of permission record conditions: [ "AND", "object.org_id

    = '123'", "object.manager.org_id = '123'" ] ## After processed by parser, return this select: [] joins: [:manager] filter: ["projects.org_id = '123'", "managers.org_id = '123'"]
  28. ## in one of permission record name: "Read Active Project",

    object: "Project", conditions: [ "object.active = true" ] ## After processed by parser, return this select: [] joins: [] filter: ["active IS true"]
  29. ## in one of permission record conditions: [ "object.org_id IN

    subject.orgs.id" ] ## After processed by parser, return this select: [] joins: [] filter: ["projects.org_id IN users.org_id"]
  30. To be continued... To be continued...

  31. Thanks! Thanks! http://tinyurl.com/id-ruby-slack Discuss: See this slide on https://slides.com/giosakti/storing- authz-rules-db