Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Storing Authorization Rules in Database

Avatar for Giovanni Sakti Giovanni Sakti
March 03, 2016
Programming
410
1

Storing Authorization Rules in Database

Avatar for Giovanni Sakti

Giovanni Sakti

March 03, 2016

More Decks by Giovanni Sakti

See All by Giovanni Sakti
Pathfinder - Building a Container Platform in Ruby Ecosystem
Avatar for Giovanni Sakti giosakti
0
370
Ruby Community and RubyConfID (Sept 2017)
Avatar for Giovanni Sakti giosakti
0
200
Building a Programming Language 101
Avatar for Giovanni Sakti giosakti
0
510
Simplify Websocket Implementation using ActionCable (Feb 2017)
Avatar for Giovanni Sakti giosakti
0
71
Inspired by Ruby (Jan 2017)
Avatar for Giovanni Sakti giosakti
0
88
flexible-authorization
Avatar for Giovanni Sakti giosakti
1
620
Introducing Rails (Feb 2016)
Avatar for Giovanni Sakti giosakti
0
89
Angular 2 - Now in Beta (Jan 2016)
Avatar for Giovanni Sakti giosakti
1
96
Introducing ActionCable (Oct 2015)
Avatar for Giovanni Sakti giosakti
2
85

Other Decks in Programming

See All in Programming
作って学ぶ、 JSX (TSX) ランタイムの基本
Avatar for syumai syumai
7
1.6k
LLM本来の能力を解き放つサンドボックス技術とAI民主化への適用
Avatar for Yuku Kotani yukukotani
3
3.7k
TSKaigi Night Talks 2026_TypeScriptでサプライチェーンの整合性を型に閉じ込める
Avatar for ギークプラス ソフトウェア事業部 geekplus_tech
0
340
AIチームを指揮するOSS「TAKT」活用術 / How to Use “TAKT,” an OSS Tool for Orchestrating AI Teams
Avatar for nrs nrslib
6
890
エージェンティックRAGにAWSで入門しよう!
Avatar for Har1101 har1101
8
1.5k
The NotImplementedError Problem in Ruby
Avatar for Koichi ITO koic
1
740
Java × distroless で 軽量なコンテナイメージを / Java on Distroless
Avatar for Daisuke Garaike contour_gara
0
540
Vite+ Unified Toolchain for the Web
Avatar for Naoki Haba naokihaba
0
290
JJUG CCC 2026 Spring: JSpecify で実現する Kotlin フレンドリーな Java API 設計
Avatar for ternbusty ternbusty
1
160
生成AI時代にこそ効くGo | Why Go Works in the Age of Generative AI
Avatar for mom0tomo mom0tomo
8
3.2k
Make SRE Operations Easier with Azure SRE Agent
Avatar for KAMEGAWA Kazushi kkamegawa
0
5.6k
技術記事、AIに書かせるか、自分で書くか? 〜それでも私が自分の手で書く理由〜 / #QiitaConference
Avatar for Junichi Ito jnchito
2
1.4k

Featured

See All Featured
Ethics towards AI in product and experience design
Avatar for Skipper Chong Warson skipperchong
2
310
Visualization
Avatar for Eitan Lees eitanlees
152
17k
SERP Conf. Vienna - Web Accessibility: Optimizing for Inclusivity and SEO
Avatar for Sara Fernández Carmona sarafernandez
2
1.5k
Joys of Absence: A Defence of Solitary Play
Avatar for Sebastian Deterding codingconduct
1
390
Claude Code のすすめ
Avatar for schroneko schroneko
67
230k
How to Talk to Developers About Accessibility
Avatar for Jason CranfordTeague jct
2
230
10 Git Anti Patterns You Should be Aware of
Avatar for Lemi Orhan Ergin lemiorhan
PRO
659
62k
How to train your dragon (web standard)
Avatar for Monica Dinculescu notwaldorf
97
6.7k
Between Models and Reality
Avatar for mayunak mayunak
4
330
Crafting Experiences
Avatar for Bethany Jepchumba bethany
1
180
It's Worth the Effort
Avatar for 3n 3n
188
29k
Avoiding the “Bad Training, Faster” Trap in the Age of AI
Avatar for Mike Taylor tmiket
0
170

Transcript

  1. Storing Storing @giosakti Authorization Authorization Rules Rules In In

  2. @ @gio giosakti sakti

  3. None

  4. Enterprise Software Development Workshop Center (April-2016)

  5. Enterprise Procurement System

  6. http://www.meetup.com/jakartarb/ http://tinyurl.com/id-ruby-slack

  7. Authorization Authorization

  8. Authorization Authorization is not Authentication

  9. Identification Authentication Authorization Access Approval Accountability Audit Access Control

  10. Authorization Authorization

  11. None
  12. None

  13. Authorization Authorization is quite complex Turns out...

  14. Access Control List (ACL) Discretionary Access Control (DAC) Mandatory Access

    Control (MAC) Role-Based Access Control (RBAC) Intent-Based Access Control (IBAC) Emotion-Based Access Control (EBAC) Attribute-Based Access Control (ABAC) Access on Responsibility ADGLP (Microsoft) Host-Based Access Control (HBAC) XACML Break-the-Glass Authorization Delegation Model Authentication-based Delegation Authorization-based Delegation

  15. Access Control List (ACL) Discretionary Access Control (DAC) Mandatory Access

    Control (MAC) Role-Based Access Control (RBAC) Intent-Based Access Control (IBAC) Emotion-Based Access Control (EBAC) Attribute-Based Access Control (ABAC) Access on Responsibility ADGLP (Microsoft) Host-Based Access Control (HBAC) XACML Break-the-Glass Authorization Delegation Model Authentication-based Delegation Authorization-based Delegation Lattice-Based Access Control (LBAC) Identity Driven Networking Privilege and Role Management Infrastructure Standards (PERMIS) Model-driven security (MDS) ... ... etc etc

  16. Access Control List (ACL) Discretionary Access Control (DAC) Mandatory Access

    Control (MAC) Role-Based Access Control (RBAC) Intent-Based Access Control (IBAC) Emotion-Based Access Control (EBAC) Attribute-Based Access Control (ABAC) Access on Responsibility ADGLP (Microsoft) Host-Based Access Control (HBAC) XACML Break-the-Glass Authorization Delegation Model Authentication-based Delegation Authorization-based Delegation
  17. None
  18. None

  19. User Role Permission Username Password Name Name

  20. # Precondition fulan = User.create!(username: "Fulan") admin = Role.create!(name: "Admin")

    read_active_project = Permission.create!( name: "Read Active Project") assign_permission(admin, read_active_project) assign_role(fulan, admin) ## Assume there's a model called Project

  21. # If using CanCanCan ## in ability.rb user.permissions.each do |activity_permission|

    case permission.name when "Read Active Project" can :read, Project, active: true end end

  22. # If using Pundit class ActiveProjectPolicy < ApplicationPolicy class Scope

    < Scope def resolve if user.permissions.collect(&:name).include? "Read Active Project" scope.where(active: true) else raise "Not authorized!" end end end

  23. # If using CanCanCan ## in ability.rb user.permissions.each do |activity_permission|

    case permission.name when "Read Active Project" can :read, Project, active: true end end # If using Pundit class ActiveProjectPolicy < ApplicationPolicy class Scope < Scope def resolve if user.permissions.collect(&:name).include? "Read Active Project" scope.where(active: true) else raise "Not authorized!" end end end
  24. None

  25. Create our Create our own DSL own DSL Domain Specific

    Language

  26. Selects instructions Joins instructions Filter instructions (where) Parser SHQL

  27. ## in one of permission record conditions: [ "AND", "object.org_id

    = '123'", "object.manager.org_id = '123'" ] ## After processed by parser, return this select: [] joins: [:manager] filter: ["projects.org_id = '123'", "managers.org_id = '123'"]

  28. ## in one of permission record name: "Read Active Project",

    object: "Project", conditions: [ "object.active = true" ] ## After processed by parser, return this select: [] joins: [] filter: ["active IS true"]

  29. ## in one of permission record conditions: [ "object.org_id IN

    subject.orgs.id" ] ## After processed by parser, return this select: [] joins: [] filter: ["projects.org_id IN users.org_id"]

  30. To be continued... To be continued...

  31. Thanks! Thanks! http://tinyurl.com/id-ruby-slack Discuss: See this slide on https://slides.com/giosakti/storing- authz-rules-db