How can I create and manage permissions more dynamically?

Question

I want to implement a security system into my web-based Intranet application which allows security administrators to 'fine-tune' exactly what type of access a user/role has to an object. For example, an ACL-based solution might allow a receptionist access to Create, Read and Update an appointment but not Delete it, similarly I might be able to let user Bob only Read or Comment on a company memo, but not Create, Update or Delete them.

However, how would I go about allowing a receptionist only to make appointments within opening hours? How would I restrict appointments to dates from today to one month from now? What about Bob - how would I let him Create a memo after he had gained enough 'respect' points (a bit like on here).

Crucially, how can I keep these values dynamic (opening hours, date restrictions, respect points, some new constraint) so that I don't hard-code them into the application? Can anyone recommend a method (or framework, book to read etc) so that I can let the administrator create and manage these roles and their constraints rather than the programmer?

The existing ACL and role-based systems I've seen don't seem to offer any way to deal with constraints - you either have access or you don't!

Thanks

Answer 1

I don't know what frameworks are available for the technologies you use but as a generic solution you could use a rule based system to express and evaluate permissions.

The rules could be something like:

IF CurrentUser.IsInRole("Receptionists") AND CurrentTime.IsOpeningHour() 
THEN GrantSomePermission()

IF CurrentUser.IsManager() OR (CurrentUser.IsLead() AND CurrentUser.NotInGroup("X"))
THEN DenySomething()

The admin would need to create them. This could be either through a minimalistic language and editor or through a simple UI similar to the ones where you build queries (add conditions, group them, select operators, etc.).

The drawback of such an approach is finding the issue when something goes wrong. Debugging such rules might be tricky. Also, execution order of the rules could be a challenge.

Answer 2

As @victor has pointed out. rule-based authorization systems allow you to fine-tune access to your users' actions by controlling arbitrary attributes for each user.

in the ruby on rails world there is e.g. declarative_authorization that can serve as an example on how the rules interact with the roles your users have. you can take it as an example on what can be be done and how to use rule-based authorization in a MVC framework.

regarding dynamic rules: you can read any data-source during authorization check (e.g. opening hours in a 'settings' table in your database).

NB: rule-based systems can get very complex really fast when adding rules (and/or roles). so, thorough (automated) testing is the way to go.

Answer 3

You could simply add methods to your user object:

public boolean makeAppointmentsWhileOpen(Date d) {
    return this.makeAnyAppointment || isBusinessHour(d) < 30;
}

public boolean makeAppointmentFor(Date d) {
    return this.makeAnyAppointment ||
           (daysDiff(d, today) < 30);
}
public boolean createMemo() {
    return this.reputationPoints >= MIN_MEMO_POINTS;
}

What I'm saying is that you don't need a framework to model permissions rules. If a framework works for your needs, that's great. If it doesn't, just add the necessary fields to your user database table or calculate permissions on-the-fly from other fields as above.

As with any permissions system, testing is critical.

Answer 4

I may want to google for the term "ABAC" (Access based access control)

Definition (wikipedia): Attribute-based access control (ABAC) defines an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together. The policies can use any type of attributes (user attributes, resource attributes, object, environment attributes etc.). This model supports Boolean logic, in which rules contain "IF, THEN" statements about who is making the request, the resource, and the action. For example: IF the requestor is a manager, THEN allow read/write access to sensitive data. (wikipedia)

Typical use case: An orthopedist has little use of a patient’s medical history, unless it pertains to specific muscle disorders, while an anesthetist has little interest in a patient’s muscle disorders, but requires info on past surgery and / or patient allergies, prior to an operation. Source: http://www.axiomatics.com/industry/health-care/180-secure-information-sharing-amongst-healthcare-professionals.html

Interesting additional resources:

• Intro video https://www.youtube.com/watch?v=u_qqv66WUXM&list=PLY5o7ZxL_GDCW-ZOGoeGxVqqmRM81W1rL&index=3
• Another great video https://www.youtube.com/watch?v=Lj152WzL5mI&list=PLY5o7ZxL_GDCW-ZOGoeGxVqqmRM81W1rL&index=1
• http://www.axiomatics.com/blog/entry/short-introduction-to-access-control-part-1.html
• http://www.axiomatics.com/blog/entry/short-introduction-to-access-control-part-2.html

Note: Axiomatics AB, Sweden seems to be a company that was envolved in developing the OASIS standard "XACML" and acts now as a commercial consultant.