Storing Authorization Rules in Database

Transcript

1. Storing Storing @giosakti Authorization Authorization Rules Rules In In

2. @ @gio giosakti sakti

3. None

4. Enterprise Software Development Workshop Center (April-2016)

5. Enterprise Procurement System

6. http://www.meetup.com/jakartarb/ http://tinyurl.com/id-ruby-slack

7. Authorization Authorization

8. Authorization Authorization is not Authentication

9. Identification Authentication Authorization Access Approval Accountability Audit Access Control

10. Authorization Authorization

11. None
12. None

13. Authorization Authorization is quite complex Turns out...

14. Access Control List (ACL) Discretionary Access Control (DAC) Mandatory Access

    Control (MAC) Role-Based Access Control (RBAC) Intent-Based Access Control (IBAC) Emotion-Based Access Control (EBAC) Attribute-Based Access Control (ABAC) Access on Responsibility ADGLP (Microsoft) Host-Based Access Control (HBAC) XACML Break-the-Glass Authorization Delegation Model Authentication-based Delegation Authorization-based Delegation

15. Access Control List (ACL) Discretionary Access Control (DAC) Mandatory Access

    Control (MAC) Role-Based Access Control (RBAC) Intent-Based Access Control (IBAC) Emotion-Based Access Control (EBAC) Attribute-Based Access Control (ABAC) Access on Responsibility ADGLP (Microsoft) Host-Based Access Control (HBAC) XACML Break-the-Glass Authorization Delegation Model Authentication-based Delegation Authorization-based Delegation Lattice-Based Access Control (LBAC) Identity Driven Networking Privilege and Role Management Infrastructure Standards (PERMIS) Model-driven security (MDS) ... ... etc etc

16. Access Control List (ACL) Discretionary Access Control (DAC) Mandatory Access

    Control (MAC) Role-Based Access Control (RBAC) Intent-Based Access Control (IBAC) Emotion-Based Access Control (EBAC) Attribute-Based Access Control (ABAC) Access on Responsibility ADGLP (Microsoft) Host-Based Access Control (HBAC) XACML Break-the-Glass Authorization Delegation Model Authentication-based Delegation Authorization-based Delegation
17. None
18. None

19. User Role Permission Username Password Name Name

20. # Precondition fulan = User.create!(username: "Fulan") admin = Role.create!(name: "Admin")

    read_active_project = Permission.create!( name: "Read Active Project") assign_permission(admin, read_active_project) assign_role(fulan, admin) ## Assume there's a model called Project

21. # If using CanCanCan ## in ability.rb user.permissions.each do |activity_permission|

    case permission.name when "Read Active Project" can :read, Project, active: true end end

22. # If using Pundit class ActiveProjectPolicy < ApplicationPolicy class Scope

    < Scope def resolve if user.permissions.collect(&:name).include? "Read Active Project" scope.where(active: true) else raise "Not authorized!" end end end

23. # If using CanCanCan ## in ability.rb user.permissions.each do |activity_permission|

    case permission.name when "Read Active Project" can :read, Project, active: true end end # If using Pundit class ActiveProjectPolicy < ApplicationPolicy class Scope < Scope def resolve if user.permissions.collect(&:name).include? "Read Active Project" scope.where(active: true) else raise "Not authorized!" end end end
24. None

25. Create our Create our own DSL own DSL Domain Specific

    Language

26. Selects instructions Joins instructions Filter instructions (where) Parser SHQL

27. ## in one of permission record conditions: [ "AND", "object.org_id

    = '123'", "object.manager.org_id = '123'" ] ## After processed by parser, return this select: [] joins: [:manager] filter: ["projects.org_id = '123'", "managers.org_id = '123'"]

28. ## in one of permission record name: "Read Active Project",

    object: "Project", conditions: [ "object.active = true" ] ## After processed by parser, return this select: [] joins: [] filter: ["active IS true"]

29. ## in one of permission record conditions: [ "object.org_id IN

    subject.orgs.id" ] ## After processed by parser, return this select: [] joins: [] filter: ["projects.org_id IN users.org_id"]

30. To be continued... To be continued...

31. Thanks! Thanks! http://tinyurl.com/id-ruby-slack Discuss: See this slide on https://slides.com/giosakti/storing- authz-rules-db