Monday, 24 December 2018

RBAC/ABAC via XACML policies

I am studying about various types of access control models and came across to know that ABAC and RBAC are the popular ones.

I've a basic scenario for one of my project and I couldn't understand should I go with RBACor ABAC. Obviously RBAC is subset of ABACso definitely I should go for ABAC but ABAC requires some experience to write polices in XACML. We are using WSO IS and APIM.

I have admin, owner and member roles in my identity server (IS).

  • Admin can view, delete and update users.
  • Owners can view and update.
  • Members can view only.

At a moment I am using HTTP verbs to achieve desire results i.e. owners can not access DELETE requests and members can't access PUT & DELETE.

Problem

I have a dashboard where I am displaying different sections like top-users, billing, services, top-consumers etc.

  1. I need to populate nav-bar based on user role and attributes from server e.g. members should not have access to see other users (Add, List) in nav-bar. nav-bar items dependents on user role so we can manage them via RBAC?
  2. We've a plan to add roles like ops, marketing, support etc. Does this means we need to create a separate db-schema to maintain access rights for each role?
  3. In dashboard I need to hide/show view, update and delete buttons in users, services etc. Now members can see users but have no permission to update or delete them. The can not view stats, billing and other private information.
  4. Owners can see all users related to their departments/organization but Admin can see all the users for all departments/organization. Here we need to consume same api for all consumers but api should response differently for different roles. Roles can be 10s and 100s so ee can not create different apis for each role.

Question

We can implement all these scenarios via RBAC but for managing nav-bar and view related implementation we need to add business logic in our server instead of using WSO2-IS and WSO2-APIM. Is there any way to manage view permissions like hide/show buttons and sections and even consume same API but it should return different result for different api-consumers.



from RBAC/ABAC via XACML policies
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)