2

Question: Is there any standard model or industry defacto implementation for modeling and implementing Access Control in (i.e.) a Document Management System?

Note: I studied a bit the security mechanism of Windows (which I do not want to use), and I saw Users and Groups and Policies.

But I can't understand:

1 - How a single policy object can contain all information about allowed/denied actions on a subject for all users and groups, at a specific moment of time.

2 - How multiple policies on a specific subject, merge into one to provide least possible access.

3 - What is the mechanism (data structures, database, caching, implementation) of hierarchical resources like folders? Those king of queries are usually slow.

Kaveh Shahbazian
  • 332
  • 1
  • 13

1 Answers1

3

Yes there is.

There are two parts to this:

  • First of all there is an authorization model called attribute-based access control or ABAC. ABAC extends the capabilities of the more well-known role-based access control model or RBAC. RBAC is user-centric and doesn't cater for the use cases you have. ABAC can help you write policies that take into account user, resource, action, and context attributes e.g. a manager can edit the document he/she owns or a manager can view all the documents that are draft and belong to the same department.
  • Secondly, there is a standard called XACML (eXtensible Access Control Markup Language) which implements ABAC in a technology-neutral way. XACML defines:
    • an architecture with the notion of a policy enforcement point and policy decision point.
    • a request/response scheme
    • an attribute-based policy language

You can read more on both topics at:

David Brossard
  • 684
  • 4
  • 11
  • Thanks, I've looked the standard documentation and generated some source code based on xsd; and yet It seems complicated and I have not found so many projects (especially open source ones) use this standard; or rather an expected level of activity in these standards. Am I missing something? – Kaveh Shahbazian Jul 17 '14 at 16:57
  • BTW I am developing in .NET land (C# to be specific). – Kaveh Shahbazian Jul 17 '14 at 17:00
  • The company I work for - Axiomatics - provides a .NET PDP engine that you can embed w/in your .NET App. If you want free/open source, your best bet is Balana. It's in Java but it exposes a web service interface you can use. – David Brossard Jul 17 '14 at 17:20