top | item 43557643

(no title)

clintonb | 11 months ago

This is a nice setup for Attribute-Based Access Control (ABAC). I arrived at a similar design a couple weeks ago, using Casbin as our authorization backend. The challenge is that I want to store user's roles and domains and use those domains to limit access. However, I do not want to replicate my existing DB to create a record in Casbin for every resource that might be accessed.

This means, yes, when validating access, you must load the data you want to access and compare its attributes against the user's authorization. One advantage of doing this is that the system can either return a 404 if the object belongs to a completely different domain, or, if the object belongs to a sub-domain, return a 403 and sufficient data to power a request for temporary privilege escalation.

I'm open to ideas for improving this.

discuss

No comments yet.