Scribd Logo
Carica

Benvenuto in Scribd!

  • Proposal For Implementing Role Based Access Control

    Caricato da

    emezac
    126 visualizzazioni8 pagine
    Role Based Access Control

    Titolo originale

    Proposal for Implementing Role Based Access Control

    Copyright

    © © All Rights Reserved

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    Role Based Access Control

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    126 visualizzazioni8 pagine

    Proposal For Implementing Role Based Access Control

    Caricato da

    emezac
    Role Based Access Control

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 8

    Proposal for Implementing Role Based Access Contro

    Admios Dashboard
    Role-Based Access Control Models for : RBAC approach

    Team:@ Luis Araya, @Henrique Cardoso, @Cristiano Amici, @Ricardo


    Chavarria @ Enrique Meza

    Version 0.1
    July 7th, 2020

    The concept of role-based access control (RBAC) began with multi-user and
    multiapplication on-line systems pioneered in the 1970s. The central notion of
    RBAC is that permissions are associated with roles, and users are assigned to
    appropriate roles. This greatly simplify management of permissions. Roles are
    created for the various job functions in an organization and users are assigned
    roles based on their responsibilities and qualifications. Users can be easily
    reassigned from one role to another. Roles can be granted new permissions as new
    applications and systems are incorporated, and permissions can be revoked from
    roles as needed. A role is properly viewed as a semantic construct around which
    access control policy is formulated. The particular collection of users and
    permissions brought together by a role is transitory. The role is more stable
    because an organization's activities or functions usually change less frequently.

    Access control policy is embodied in various components of RBAC such as role


    permission, user-role and role-role relationships. These components collectively
    determine whether a particular user will be allowed to access a particular piece of
    data in the system. RBAC components may be configured directly by the system
    owner or indirectly by appropriate roles as delegated by the system owner. The
    policy enforced in a particular system is the net result of the precise configuration
    of various RBAC components as directed by the system owner. Moreover, the
    access control policy can evolve incrementally over the system life cycle, and in
    large systems it is almost certain to do so. The ability to modify policy to meet the
    changing needs of an organization is an important benefit of RBAC.
    ol for
    large systems it is almost certain to do so. The ability to modify policy to meet the
    changing needs of an organization is an important benefit of RBAC.

    RBAC mainstream model


    Layered RBAC basic model
    • RBAC0: contains RBAC core part
    • RBAC1: contains RBAC0, another role inheritance (RH)
    RBAC mainstream model
    Layered RBAC basic model
    • RBAC0: contains RBAC core part
    • RBAC1: contains RBAC0, another role inheritance (RH)
    • RBAC2: contains RBAC0, and other constraints (Constrai

    • RBAC3: Contains all levels of content and is a complete m

    For the current implementation on ADMIOS we started as RBAC0

    RBAC0 has a very simple API to interact around and create Roles and Users

    Example:

    from easyrbac import Role, Usereveryone_role = Role('everyone')

    admin_role = Role('admin')everyone_user = User(roles=[everyone_role

    admin_user = User(roles=[admin_role, everyone_role])

    For User resource access permissions allocation

    acl = AccessControlList()

    acl.resource_read_rule(everyone_role, 'GET', '/api/v1/employee/1/info')


    acl.resource_delete_rule(admin_role, 'DELETE', '/api/v1/employee/1/')

    # checking READ operation on resource for user `everyone_user`


    for user_role in [role.get_name() for role in everyone_user.get_roles()]:
    assert acl.is_read_allowed(user_role, 'GET', '/api/v1/employee/1/info') == True
    ints)
    model

    e])
    acl.resource_read_rule(everyone_role, 'GET', '/api/v1/employee/1/info')
    acl.resource_delete_rule(admin_role, 'DELETE', '/api/v1/employee/1/')

    # checking READ operation on resource for user `everyone_user`


    for user_role in [role.get_name() for role in everyone_user.get_roles()]:
    assert acl.is_read_allowed(user_role, 'GET', '/api/v1/employee/1/info') == True

    # checking WRITE operation on resource for user `everyone_user`


    # Since you have not defined the rule for the particular, it will disallow any such operation by default.
    for user_role in [role.get_name() for role in everyone_user.get_roles()]:
    assert acl.is_write_allowed(user_role, 'WRITE', '/api/v1/employee/1/info') == False

    # checking WRITE operation on resource for user `admin_user`


    for user_role in [role.get_name() for role in everyone_user.get_roles()]:
    if user_role == 'admin': # as a user can have more than one role assigned to them
    assert acl.is_delete_allowed(user_role, 'DELETE', '/api/v1/employee/1/') == True
    else:
    assert acl.is_delete_allowed(user_role, 'DELETE', '/api/v1/employee/1/') == False

    Resources:

    1. https://medium.com/@tasdikrahman/implementing-role-based-access-co
    2. https://www.comp.nus.edu.sg/~tankl/cs5322/readings/rbac1.pdf
    3. https://github.com/tasdikrahman/easyrbac
    ontrol-a2bbcb4dfdb0

    Potrebbero piacerti anche