Access Control Management With Swift

Transcript

1. ACCESS CONTROL MANAGEMENT WITH SWIFT @mmabdellateef

2. USERS HAVE DIFFERENT SCOPES

3. AUTHENTICATION + AUTHORIZATION + USER MANAGEMENT =

4. ACCESS CONTROL MANAGEMENT 101 AUTHENTICATION VS AUTHORIZATION Authentication and Authorization

   address two different questions, Authentication means who are you? and Authorization means what are you allowed to do?

5. LET’S BUILD AN IMAGINARY NEWS APP

6. IMAGINARY NEWS APP THE REQUIREMENTS ▸ Anyone can browse public

   groups even if he is an anonymous user ▸ Browsing private groups and posting to them is restricted to group members ▸ Deleting posts in a group is restricted to group admins only (note that group admin can browse and post to his group as well) ▸ Super admin can browse, post, or delete posts from any group

7. IMAGINARY NEWS APP

8. IMAGINARY NEWS APP WE JUST FINISHED !!

9. GREAT !! WE NEED TO ADD MORE RULES TO THE

   SYSTEM —World’s Best Boss

10. DESIGNING FOR CHANGE –Open/Closed Principle “software entities should be open

    for extension, but closed for modification”

11. ACCESS CONTROL MANAGEMENT 101

12. ACCESS CONTROL MANAGEMENT 101 ACL (ACCESS CONTROL LIST) list of

    permissions attached to an object, usually represented as a table of privileges

13. ACCESS CONTROL MANAGEMENT 101 IBAC (IDENTITY BASED ACCESS CONTROL) ‣

    Each individual is given specific access rights for every operation ‣ IBAC can be used in simple systems with few users, However as systems grow in user numbers, it usually gets difficult to manage

14. ACCESS CONTROL MANAGEMENT 101 RBAC (ROLE BASED ACCESS CONTROL) ‣

    Privileges are grouped into roles and each user is assigned a role (Think of a role as a group of users that have some common characteristics). ‣ The difference between IBAC and RBAC it that the role, instead of the individual, is the basis for access checks.

15. ACCESS CONTROL MANAGEMENT 101 HRBAC (HIERARCHICAL ROLE BASED ACCESS CONTROL)

    ‣ RBAC implemented as a hierarchy of roles, allowing roles to inherit privileges from other roles ‣ (GroupAdmin inherits browsing group permission from GroupMember because every group admin is-a group member ).

16. ACCESS CONTROL MANAGEMENT 101 ABAC (ATTRIBUTE BASED ACCESS CONTROL) ‣

    Grant access to members belong to a role who also have specific characteristics ‣ Defining access rights based on the various properties of a user

17. THE PLAN

18. THE PLAN LOOKING AT THE REQUIREMENTS, WE CAN DIVIDE IT

    INTO THREE MAIN DOMAINS

19. THE PLAN ACTORS WHO PERFORM ACTIONS (ROLES) Role Anonymous GroupMember

    GroupAdmin SuperAdmin

20. THE PLAN (ACTIONS) PERFORMED BY ACTORS Action BrowseGroup PostToGroup DeletePost

21. THE PLAN THE (RESOURCES) THAT ACTORS PERFORM ACTIONS ON THEM

    Resource Group Post

22. THE PLAN THE FULL PICTURE

23. THE PLAN THE EQUATION

24. THE PLAN POLICY

25. THE EXECUTION

26. THE EXECUTION LET’S START BY WHAT WE WANT TO ACHIEVE

    // The Group member policy GroupMember.shouldBeAbleTo(BrowseGroup) .when(member.groupId == action.groupId) // create users ahmed = GroupMember(name = "Ahmed", age = 18, groupId = 1) mostafa = GroupMember(name = "Mostafa", age = 18, groupId = 2) // create action browseGroup2 = BrowseGroup(groupId = 2) // check if user is allowed ahmed.can(browseGroup2) // false mostafa.can(browseGroup2) // true

27. THE EXECUTION STARTING WITH A BASIC MODEL

28. THE EXECUTION PROTOCOL ORIENTED PROGRAMMING https://www.raywenderlich.com/814-introducing-protocol-oriented-programming-in-swift-3

29. THE EXECUTION MIXING USER WITH ROLES

30. THE EXECUTION MODELING THE ROLES HIERARCHY

31. THE EXECUTION MODELING THE ACTIONS

32. THE EXECUTION THE ULTIMATE GOAL

33. THE EXECUTION IMPLEMENTING ROLE FUNCTIONALITIES

34. THE EXECUTION FEEDING THE ROLES TO THE SYSTEM

35. THE EXECUTION ADDING NEW RULES LIKE A BOSS

36. THANK YOU