Lions and tigers and handling user capabilities

LIONS AND TIGERS AND HANDLING USER CAPABILITIES

HI, I’M TIFFANY @THEOPHANI

LIONS AND TIGERS AND HANDLING USER CAPABILITIES

(EXAMPLES)

ON A HUNT FOR WAYS TO APPROACH USER CAPABILITIES

PART I THE UX OF USER CAPABILITIES PART II IMPLEMENTING
USER CAPABILITIES

PART I THE UX OF USER CAPABILITIES

GOOD USER CAPABILITY UX HELPS PEOPLE TO 1. AVOID MISTAKES
2. UNDERSTAND THEIR CAPABILITIES 3. EASILY MANAGE PERMISSIONS

WHY ADD USER ACCESS RESTRICTIONS TO A SYSTEM ANYWAY?

PEOPLE SHOULD NOT BE ABLE TO DO THINGS THAT THEY
ARE NOT ALLOWED DO

PEOPLE SHOULD NOT BE ABLE TO DO THINGS THAT THEY
DO NOT NEED TO DO

THIS IS KNOWN AS THE PRINCIPLE OF LEAST PRIVILEGE

Following this principle limits the potential damage of any security
breach, whether accidental or malicious.

GOOD USER CAPABILITY UX HELPS PEOPLE TO 2. UNDERSTAND THEIR
CAPABILITIES

INTERACTION DESIGN ASKS HOW DOES THE USER: affect change? understand
the change? understand what they can change?

INTERACTION DESIGN ASKS HOW DOES THE USER: affect change? understand
the change? → understand what they can change? ←

YOUR UI MUST COMMUNICATE WHAT THE PERSON CAN DO

YOUR UI MUST NOT COMMUNICATE THAT THE PERSON CAN DO
SOMETHING THEY CAN’T

GOOD USER CAPABILITY UX HELPS PEOPLE TO 3. EASILY MANAGE
PERMISSIONS

FIRST, SOME DEFINITIONS

SUBJECT, OBJECT, OPERATION & PERMISSION, CAPABILITY

SUBJECT: ACTIVE ENTITY, SUCH A USER OR A PROCESS.

OBJECT: THING THE SUBJECT ACTS UPON.

OPERATION: ACTION ATTEMPTED BY THE SUBJECT ON THE OBJECT.

PERMISSION: THE RIGHT TO PERFORM THE OPERATION.

CAPABILITY: ALLOWED OPERATION THE SUBJECT HAS PERMISSION TO PERFORM ON
AN OBJECT.

SUBJECT: PERSON OBJECT: THING OPERATION: ACTION PERMISSION: GIVES CAPABILITY TO
A PERSON TO PERFORM AN ACTION ON A THING

ACL , RBAC ACL: ACCESS CONTROL LIST RBAC: ROLE-BASED ACCESS
CONTROL

ACL ACCESS CONTROL LIST

ACCESS CONTROL LIST

THE UX OF MAINTAINING AN ACCESS CONTROL LIST

HOW DO YOU KNOW WHICH ACTIONS TO ALLOW ON WHICH
THINGS?

WHAT IF YOU NEEDED TO UPDATE SUCH A LIST?

NOT GOOD UX

PERMISSION GROUPS?

ROLE-BASED ACCESS CONTROL TO THE RESCUE!

RBAC ROLE-BASED ACCESS CONTROL

ROLE: JOB FUNCTION IN AN ORGANIZATION

ROLE: COLLECTION OF CAPABILITIES

PEOPLE CAN HAVE MORE THAN ONE ROLE

WHEN A ROLE IS CHANGED, PEOPLE’S CAPABILITIES CHANGE TOO

ROLE-BASED ACCESS CONTROL or ACCESS CONTROL LISTS?

BAD UX LEADS TO MISTAKES

MISTAKES CAN LEAD TO VIOLATIONS OF THE PRINCIPLE OF LEAST
PRIVILEGE

ROLE-BASED ACCESS CONTROL is better UX than ACCESS CONTROL LISTS

RECAP PART I

2. UNDERSTAND THEIR CAPABILITIES 3. EASILY MANAGE PERMISSIONS

1. AVOID MISTAKES BY FOLLOWING THE PRINCIPLE OF LEAST PRIVILEGE

PEOPLE SHOULD BE ABLE TO 2. UNDERSTAND THEIR CAPABILITIES BECAUSE
YOUR IU COMMUNICATES THEM

3. EASILY MANAGE PERMISSIONS BY USING ROLE-BASED ACCESS CONTROL

PART II IMPLEMENTING USER CAPABILITIES

BUT FIRST, MY ASSUMPTIONS

▸ Client-side rendered apps, ▸ that use REST APIs to
load and save data asynchronously, ▸ and the server can tell the client details about the authenticated user. (Though, same ideas can apply to server-side rendered views)

IMPLEMENTATION CONSTRAINTS: 1. ONLY GRANT NECESSARY CAPABILITIES 2. UI MUST
COMMUNICATE CAPABILITIES 3. USE ROLE-BASED ACCESS CONTROL

0. THE SERVER-SIDE MUST ENFORCE THE RESTRICTIONS

THE SERVER-SIDE MUST ENFORCE THE RESTRICTIONS ← OR ELSE STUFF
LIKE THIS IS POSSIBLE

THE SERVER-SIDE MUST ENFORCE THE RESTRICTIONS, AND THE CLIENT-SIDE MUST
REFLECT THE RESTRICTIONS

// Don’t do this if ( "Junior Warehouse Clerk" in
user.roles || "Warehouse Clerk" in user.roles || "Warehouse Manager" in user.roles ) { // Show "View Orders" button ... }

// Do it like this! if ( "view orders" in
user.capabilities ) { // Show "View Orders" button ... }

$.ajax( url: "/_api/me/capabilities", success: function (response) { user.capabilities = response.capabilities
} })

// Checking for one capability if ( "view orders" in
user.capabilities ) { // Show "View Orders" button ... }

// Checking for more than one capability if ( "view
orders" in user.capabilities || "edit orders" in user.capabilities || "manage customers" in user.capabilities ) { // Show drop down menu icon ... }

[ THIS KIND OF ] CAPABILITY CHECKING IS ADDITIVE

can ( user, ["view orders"] ) // returns true if
user can view orders can ( user, ["action one", "action two", "action three"] ) // returns true if the user can do any of the actions

function can (user, requiredCapabilities) { return requiredCapabilities.some(function (capability) { return
capability in user.capabilities }) }

if ( can (user, ["do something"]) ) { // ...
}

if ( can (user, ["do action", "do another action"]) )
{ // ... }

WHAT ABOUT “LOGIC-LESS” TEMPLATES?

// in your view code mustache.render(template, { can: user.capabilities, //
... })  {{#can.viewOrders}} <a link=“/orders">View Orders</a> {{/can.viewOrders}}

<nav> {{#can.viewOrders}} <a link="/orders">View Orders</a> {{/can.viewOrders}} {{#can.createOrders}} <a link="/orders/new">Add Order</a>
{{/can.createOrders}} </nav>

{{#can.viewOrders}} {{#can.createOrders}} <nav> ... </nav>
{{/can.createOrders}} {{/can.viewOrders}}

// Augment capabilities with view-specific ones if ( can(user, ["view
orders", "create orders"]) ) { user.capabilities.viewMenu = true; } mustache.render(template, { can: user.capabilities, // ... })

{{#can.viewMenu}} <nav> ... </nav> {{/can.viewMenu}}

{{#can
"viewOrders editOrder"}} <nav> ... </nav> {{/can}} // Define the block helper ... function canBlockHelper (requiredCapabilities, options) { // ... return hasSomeCapabilities ? options.fn(this) : "" } // ... and register it as “can” Handlebars.registerHelper("can", canBlockHelper);

{{#can "viewOrders editOrder"}} <nav> {{#can "viewOrders"}} <a link="/orders">View Orders</a> {{/can}}
{{#can "createOrders"}} <a link="/orders/new">Add Order</a> {{/can}} </nav> {{/can}}

# Use the same kind of “can” per route server-side
get "/_api/orders" can ( user, "view orders" ) do # ... end end post "/_api/orders" can ( user, "add orders" ) do # ... end end

IN CONCLUSION …

IMPLEMENTATION CONSTRAINTS: 1. ONLY GRANT NECESSARY CAPABILITIES 2. UI MUST
COMMUNICATE CAPABILITIES 3. USE ROLE-BASED ACCESS CONTROL

CONSIDER WHEN IMPLEMENTING: 1. ENFORCE IN BOTH SERVER AND CLIENT
BUT MAKE THE SERVER THE AUTHORITY 2. CHECK AGAINST CAPABILITIES, NOT ROLES

THANK YOU! TIFFANY CONROY – @THEOPHANI

Lions and tigers and handling user capabilities

Lions and tigers and handling user capabilities

More Decks by Tiffany Conroy

Other Decks in Programming

Featured

Transcript