Software Engineering Stack Exchange
Software Engineering Stack Exchange

Questions tagged [access-control]

69 questions
69
votes
3 answers

Role vs Permission Based Access Control

I'm trying to understand the inherent tradeoff between roles and permissions when it comes to access control (authorization). Let's start with a given: in our system, a Permission will be a fine-grained unit of access ("Edit resource X", "Access the…
smeeb
  • 4,820
  • 10
  • 30
  • 49
31
votes
6 answers

Dynamic Code Evaluation in Java - Clever or Sloppy?

I am trying to create a flexible ACL framework in Java for my application. Many ACL frameworks are built on a whitelist of rules, where a rule is in the form of owner:action:resource. For example, "JOHN can VIEW resource FOOBAR-1" "MARY can VIEW…
Twittopher
  • 413
  • 4
  • 5
30
votes
2 answers

How to design role based access control?

I am trying to follow the role bases access control model to restrict what users can or cannot do in my system. So far I have the following entities: users - People who will use the system. Here I have usernames and passwords. roles - Collection…
imran.razak
  • 379
  • 1
  • 3
  • 10
27
votes
6 answers

Is it ok to have validation layer before access control layer

I am creating an API strcutured web application and in this application we have different layers which are doing their own job. First layer is Validation layer which validate user input and if it passes the validation we move that to second layer…
Muhammad
  • 399
  • 3
  • 7
19
votes
1 answer

What is a suggested roadmap towards implementation of a simple Attribute-based access control (ABAC)?

When reading about ACL and RBAC I seem to understand it easily - there are either usernames or roles that are given access to an asset. I can also see how I could implementing those. i.e. this image gives a clear view of ACL and RBAC for me (as in…
Dennis
  • 8,157
  • 5
  • 36
  • 68
11
votes
4 answers

When should a private method take the public route to access private data?

When should a private method take the public route to access private data? For example, if I had this immutable 'multiplier' class (a bit contrived, I know): class Multiplier { public: Multiplier(int a, int b) : a(a), b(b) { } int getA()…
0x5f3759df
  • 213
  • 1
  • 5
10
votes
2 answers

Standard practices for access control (design pattern)

I'm looking at my interface design and I am struggling to decide which is the most "correct" way to implement role-based access control, given a user and a subject that the user would like to access. As far as I can see I have three core options…
kwah
  • 233
  • 2
  • 7
9
votes
3 answers

Is it a good idea to const-qualify the fields of structure in C?

Consider the following program: #include #include typedef struct S_s { const int _a; } S_t; S_t * create_S(void) { return calloc(sizeof(S_t), 1); } void destroy_S(S_t *s) { free(s); } const int get_S_a(const S_t…
Michael Pankov
  • 568
  • 1
  • 5
  • 15
8
votes
1 answer

How best to design Access Control Layer in n-tier architecture application

This is a typical architecture scenario for a 3-tier design: UI-tier Has Graphical User Interface components Middle-tier Has business logic including the following layers: Data Access Layer (DAL) Access Control Data-tier Typically your database…
Julius A
  • 263
  • 2
  • 6
8
votes
2 answers

Is XACML actually used and implemented?

I have been working for quite a lot of time on a research project at University focused on Access Control. More specifically, I am studying how to protect unauthorized access to personal data in a distributed system and in general in the…
giada
  • 141
  • 1
  • 7
7
votes
4 answers

Should access control be implemented in controller or repository layer?

I've got a project with an HTTP API which returns data from a database. The layers it goes through to get to the API look like this: DB -> Repository -> Controller I'm looking to restrict the results which are returned based on the permissions of…
Joundill
  • 129
  • 8
7
votes
1 answer

What is the nicest (user-friendliest) way to tell a user about "Access Denied" error?

Our software implements a layer of role-based security to secure data access, in the form of access control lists. Whenever a user tries to do something that isn't allowed, the software layer will receive an "access denied" error code or…
rwong
  • 16,695
  • 3
  • 33
  • 81
6
votes
1 answer

Methodologies for Managing Users and Access?

This is something I'm having a hard time getting my head around. I think I might be making it more complicated than it is. What I'm trying to do is develop a method to store users in a database with varying levels of access, throughout different…
developer1234
  • 237
  • 2
  • 13
5
votes
2 answers

Authorization checks without littering them in code

My team is currently trying to design an authorization system that can be used in any language (Think authorization as a service). One thing i'm trying to figure out is if there is a good way to write authorization checks without littering them all…
Catfish
  • 153
  • 5
5
votes
4 answers

Why do organizations limit source code access to engineers?

Most organizations restrict access to the source code to engineers, and even at places like Google, the Android source code is kept off-limits to most engineers within the company. Why? Note: I am not talking about write access for everyone in the…
Kevin Burke
  • 463
  • 5
  • 13
1
2 3 4 5