Alternatives for Roles/Claims Access Control Systems

abac access-control authorization entity-framework-6


For the expanding system, I'm creating a REST API. And Role/Claims Access Control generally functions flawlessly in this manner.

[Authorization(Type = AuthorizationType.Admin, Permission = Permission.StoreSettings)]
public IHttpActionResult GetSettings() { /*...*/ }

A problem arises when I have users who, for instance, have deeper access control options, as seen in the figure below. This is a simplified illustration of the system.

User Types

And it is pretty simple to ask a question about something in one particular area, but when I need to acquire allItems from Departments I'm forced to write the same unattractive code that I can't actually reuse. This isn't really code, but it looks like it.

Db.Items.Where(i =>
    i.Stores.Any(s => s.CityId == User.CityId) &&
    Db.UserDepartmentRights.Any(udr => udr.UserId == User.UserId && i.DepartmentId == udr.DepartmentId));

It is unmistakably unsightly and quite difficult to manage, especially if I need to add another level to the system.

Exists a framework that can manage this, or is there a codified architecture that I can use?

4/19/2016 3:41:57 PM

Accepted Answer

That's correct. ABAC, or attribute-based access control, is a model that does this (abac).

Introduction to ABAC

RBAC has evolved into ABAC (role-based access control). You apply RBAC in the claims-based paradigm by giving users roles and permissions. RBAC performs well in modest, straightforward deployments but frequently fails when scaling up or when you have connections. You wish to describe access control in terms of the interaction between users and stores in your situation.

The National Institute of Science and Technology (NIST) has established both the ABAC and RBAC models.

ABAC Buildings

Two categories of constructions are available in ABAC:

  • Attributes. Anything and anybody can have attributes. They often fit into 4 categories or functions (as in grammatical function)
    • Subject attributes: Characteristics of the person trying to gain access, such as age, clearance, department, role, and job title.
    • Action attributes are characteristics that specify the action that is being attempted, such as read, delete, view, and approve.
    • Resource (or object) attributes: Characteristics of the object being accessed, such as the department, categorization or level of sensitivity, location, and object type (medical record, bank account, etc.).
    • Contextual (environment) attributes: characteristics that relate to the context of the access control scenario, such as time, place, or dynamic elements
  • Policies are statements that combine characteristics to describe what is permissible and what is not. ABAC has both granting and denying policies. Examples comprise:
    • If a document is in the same department as the user, the user may view it.
    • If a user is the document's owner and the document is in draft status, they are able to edit it.
    • Refuse entry before 9:00am

You can create as many policies using ABAC that address as many distinct cases as you'd want.

Architecture by ABAC

The following is the suggested architecture for ABAC:

ABAC / XACML Architecture

  • The apps and data you want to apply ABAC to must be protected by the PEP, or Policy Enforcement Point. In your situation, an interceptor would probably be used (e.g. a .NET MessageHandler). After carefully reviewing the request, the PEP creates an authorization request from it and sends it to the PDP.
  • The brain of the architecture is the PDP, or Policy Decision Point. This component compares incoming requests to the policies it has been set up with. The PDP provides a decision of Permit or Deny. Additionally, the PDP may employ PIPs to locate missing metadata.
  • The PIP, or Policy Information Point, connects the PDP to external databases or LDAP servers for attribute data.

Implementations of ABAC

The eXtensible Access Control Markup Language, or XACML, is the primary standard that currently implements ABAC (xacml). It is a method for fine-grained access control that is independent of technology. XACML is currently implemented in a number of ways:

Study more

You can use a few reliable web sites.

4/19/2016 12:26:19 PM

Popular Answer


Related Questions


Licensed under: CC-BY-SA with attribution
Not affiliated with Stack Overflow
Licensed under: CC-BY-SA with attribution
Not affiliated with Stack Overflow