Access Control, Authorization, and Authentication Adam Englander Ijeoma Ezeonyebuchi Eric Mann 

Hello. Adam Englander Architect, iovation Ijeoma Ezeonyebuchi Mobile Quality Assurance Engineer, NPR Eric Mann Director of Engineering, Vacasa 

Today’s Session Terminology Access Control Systems Role-based Systems Attribute-based Systems Risk-based Systems Things to Consider 

Terminology Authorization is the function of specifying access rights/privileges to resources. (Wikipedia) Authentication is the act of confirming the truth of an attribute of a single piece of data claimed true by an entity. (Wikipedia) 

Terminology Access control is the selective restriction of access to a place or other resource. (Wikipedia) 

For example ... if (! isset($_SESSION['user_id'])) { header('HTTP/1.1 403 Forbidden'); exit; } $filename = basename($_POST['filename']); $file = sprintf('/var/www/support/uploads/%s', $filename); if (file_exists($file)) { header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header(sprintf('Content-Disposition: attachment; filename="%s"', $filename)); header(sprintf('Content-Length: %d', filesize($file))); readfile($file); exit; } 

For example ... if (! isset($_SESSION['user_id'])) { header('HTTP/1.1 403 Forbidden'); exit; } $filename = basename($_POST['filename']); $file = sprintf('/var/www/support/uploads/%s', $filename); if (file_exists($file)) { header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header(sprintf('Content-Disposition: attachment; filename="%s"', $filename)); header(sprintf('Content-Length: %d', filesize($file))); readfile($file); exit; } 

Terminology Authorization is not Authentication is not Access Control 

Authorization -vs- Authentication Authentication - proving a user is who they say they are Authorization - proving a user is allowed to do what they are attempting to do 

Authorization -vs- Access Control Authorization - proving a user is allowed to do what they are attempting to do Access Control - actually enforcing authorization controls on systems or resources 

Strong Security Requires all Three Authentication Authorization Access Control SECURITY 

Role-based Access Control (RBAC) RBAC separates the concepts of Users, Roles and Permissions. Roles are defined in a system, then Permissions defined separately. Then the security administrator decides what role should be permitted to do what action, by assigning that role to the permission. Finally users are assigned to roles. The system does the rest. (PHP-RBAC) 

Role-based Access Control Users are each assigned to one or more role Each role will have one or more permission Operations are restricted based on role membership (Based on the permissions that role grants) 

Role-based Access Control (RBAC) 

For example ... if (! isset($_SESSION['user_id'])) { header('HTTP/1.1 403 Forbidden'); exit; } $rbac = new \PhpRbac\Rbac(); $rbac->enforce('downloads_manager', 105); $filename = basename($_POST['filename']); $file = sprintf('/var/www/support/uploads/%s', $filename); if (file_exists($file)) { header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header(sprintf('Content-Disposition: attachment; filename="%s"', $filename)); // ... 

For example ... if (! isset($_SESSION['user_id'])) { header('HTTP/1.1 403 Forbidden'); exit; } $rbac = new \PhpRbac\Rbac(); $rbac->enforce('downloads_manager', $_SESSION['user_id']); $filename = basename($_POST['filename']); $file = sprintf('/var/www/support/uploads/%s', $filename); if (file_exists($file)) { header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header(sprintf('Content-Disposition: attachment; filename="%s"', $filename)); // ... 

Attribute-based Access Control (ABAC) Attribute-based access control, also known as Policy-based access control, defines an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together. (Wikipedia) 

Attribute-based Access Control Users can still be assigned to one or more role Resources (and users) have specific attributes Users (or roles) have applied policies that use these attributes to allow or block access Policies are evaluated at request time based on current attributes 

Attribute-based Access Control 

For example ... if (! isset($_SESSION['user_id'])) { header('HTTP/1.1 403 Forbidden'); exit; } $user = new \User($_SESSION['user_id']); $filename = basename($_POST['filename']); $download = new \Download($filename); $abac = \PhpAbac\AbacFactory::getAbac(); $attributes = ['dynamic-attributes' => ['report-author' => $user->getId()]]; if ($abac->enforce('downloads-access', $user, $download, $attributes) !== true) { header('HTTP/1.1 403 Forbidden'); exit; } // ... 

For example ... if (! isset($_SESSION['user_id'])) { header('HTTP/1.1 403 Forbidden'); exit; } $user = new \User($_SESSION['user_id']); $filename = basename($_POST['filename']); $download = new \Download($filename); $abac = \PhpAbac\AbacFactory::getAbac(); $attributes = ['dynamic-attributes' => ['report-author' => $user->getId()]]; if ($abac->enforce('downloads-access', $user, $download, $attributes) !== true) { header('HTTP/1.1 403 Forbidden'); exit; } // ... 

For example ... if (! isset($_SESSION['user_id'])) { header('HTTP/1.1 403 Forbidden'); exit; } $user = new \User($_SESSION['user_id']); $filename = basename($_POST['filename']); $download = new \Download($filename); $abac = \PhpAbac\AbacFactory::getAbac(); $attributes = ['dynamic-attributes' => ['report-author' => $user->getId()]]; if ($abac->enforce('downloads-access', $user, $download, $attributes) !== true) { header('HTTP/1.1 403 Forbidden'); exit; } // ... 

Risk-based Access Control In general, built upon an attribute-based system Leverages attributes that quantify risk ● How did the user authenticate? ● When and from where did they authenticate? ● How risky is the operation being performed? Effectively adds environmental info to the system 

Final Items to Consider What does your application do? Who has access to the application? What is the potential impact of a breach? What is your overall threat model? 

Questions? 

Thank you! Please rate our talk: https://joind.in/talk/8b428