T
T
TAnonim2018-07-06 13:03:06
Access rights
TAnonim, 2018-07-06 13:03:06

What should the implementation of a flexible access control system look like?

Greetings. I have my own API, and I want to implement a fairly flexible method access control. I have different user types (administrator, moderator,...) that can be dynamically created and deleted, it is possible to edit the permission level that is available to each user type. Each user type has its own priority.
Here are some abstract examples that I want the access control system to support:
- a moderator can ban users who are below him in priority.
- the user can edit his messages, the moderator can edit both his own and other people's messages.
- the moderator can delete messages not in all conversations, but only in pre-selected by the administrator.
I looked at the role-based access control (RBAC) model, but it only gives me the ability to determine whether user type X can call method Y. But this is not enough: everyone can call the messages.edit method, but everyone with different rights - users can edit their messages, moderators - any messages. Is it possible to somehow modify RBAC to support such things?
I read about attribute-based access control (ABAC), including on Habré, but, unlike RBAC (where the entire implementation is the permissions, roles, roles_permissions, users and users_roles tables), it is not entirely clear how to implement this on practice and whether it will be convenient to use.
I would be grateful for your ideas and recommendations. I'm interested in the very concept of how this can be done ..

Answer the question

In order to leave comments, you need to log in

1 answer(s)
J
JhaoDa, 2018-07-06
@JhaoDa

Depends on how you want to use it. If someone needs to be able to poke permissions in the admin panel, then this is definitely RBAC. If such possibility is not necessary, then ACL/ABAC.
RBACs can be combined, i.e. not just check for permission, but call some code that will check this permission in some context. For example, by analogy with the policies in Laravel.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question