$30 off During Our Annual Pro Sale. View Details »

Storing Authorization Rules in Database

Storing Authorization Rules in Database

Giovanni Sakti

March 03, 2016
Tweet

More Decks by Giovanni Sakti

Other Decks in Programming

Transcript

  1. Access Control List (ACL) Discretionary Access Control (DAC) Mandatory Access

    Control (MAC) Role-Based Access Control (RBAC) Intent-Based Access Control (IBAC) Emotion-Based Access Control (EBAC) Attribute-Based Access Control (ABAC) Access on Responsibility ADGLP (Microsoft) Host-Based Access Control (HBAC) XACML Break-the-Glass Authorization Delegation Model Authentication-based Delegation Authorization-based Delegation
  2. Access Control List (ACL) Discretionary Access Control (DAC) Mandatory Access

    Control (MAC) Role-Based Access Control (RBAC) Intent-Based Access Control (IBAC) Emotion-Based Access Control (EBAC) Attribute-Based Access Control (ABAC) Access on Responsibility ADGLP (Microsoft) Host-Based Access Control (HBAC) XACML Break-the-Glass Authorization Delegation Model Authentication-based Delegation Authorization-based Delegation Lattice-Based Access Control (LBAC) Identity Driven Networking Privilege and Role Management Infrastructure Standards (PERMIS) Model-driven security (MDS) ... ... etc etc
  3. Access Control List (ACL) Discretionary Access Control (DAC) Mandatory Access

    Control (MAC) Role-Based Access Control (RBAC) Intent-Based Access Control (IBAC) Emotion-Based Access Control (EBAC) Attribute-Based Access Control (ABAC) Access on Responsibility ADGLP (Microsoft) Host-Based Access Control (HBAC) XACML Break-the-Glass Authorization Delegation Model Authentication-based Delegation Authorization-based Delegation
  4. # Precondition fulan = User.create!(username: "Fulan") admin = Role.create!(name: "Admin")

    read_active_project = Permission.create!( name: "Read Active Project") assign_permission(admin, read_active_project) assign_role(fulan, admin) ## Assume there's a model called Project
  5. # If using CanCanCan ## in ability.rb user.permissions.each do |activity_permission|

    case permission.name when "Read Active Project" can :read, Project, active: true end end
  6. # If using Pundit class ActiveProjectPolicy < ApplicationPolicy class Scope

    < Scope def resolve if user.permissions.collect(&:name).include? "Read Active Project" scope.where(active: true) else raise "Not authorized!" end end end
  7. # If using CanCanCan ## in ability.rb user.permissions.each do |activity_permission|

    case permission.name when "Read Active Project" can :read, Project, active: true end end # If using Pundit class ActiveProjectPolicy < ApplicationPolicy class Scope < Scope def resolve if user.permissions.collect(&:name).include? "Read Active Project" scope.where(active: true) else raise "Not authorized!" end end end
  8. ## in one of permission record conditions: [ "AND", "object.org_id

    = '123'", "object.manager.org_id = '123'" ] ## After processed by parser, return this select: [] joins: [:manager] filter: ["projects.org_id = '123'", "managers.org_id = '123'"]
  9. ## in one of permission record name: "Read Active Project",

    object: "Project", conditions: [ "object.active = true" ] ## After processed by parser, return this select: [] joins: [] filter: ["active IS true"]
  10. ## in one of permission record conditions: [ "object.org_id IN

    subject.orgs.id" ] ## After processed by parser, return this select: [] joins: [] filter: ["projects.org_id IN users.org_id"]