Post: Attribute Base Access Control
Related to abac project.
What’s ABAC?
Attribute-based access control (ABAC), also known as policy-based access control for IAM, defines an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together. The policies can use any type of attributes (user attributes, resource attributes, object, environment attributes etc)1.
Attributes can be fall into 4 different categories:
-
Subjectattributes: attributes that describe the user attempting the access e.g. subject, job title -
Actionattributes: attributes that describe the action being attempted e.g. create, read, delete, update -
Objectattributes: attributes that describe the object (or resource) being accessed e.g. the object type (medical record, bank account) -
Environmentattributes: attributes that deal with time, location or dynamic aspects of the access control scenario
ABAC vs RBAC?
| Question | RBAC | ABAC |
|---|---|---|
| Who can access? |  |
|
| How can operate? |
 CRUD |
With more options |
| What resource? |
Not Bad At All |
More control on resource |
| Where user can do? |  |
Supported by IP and CIDR |
| When user can do? | |
Supported by CRON |
| Best structure? | Monolithic Apps | PWA, Restfull, GraphQL |
| Suitable for? | Small and medium projects | Medium and large projects |
What’s Scope?
Definition as a verb is:
- look at carefully; scan.
- assess or investigate something.
In this library, I have scoped action and object which means you can have more control over these attributes.
Assume you have a publisher website with four types of users with the following roles:
-
adminsuper user can do anything -
managercan do anything on articles -
guestcan read only published article -
userthe writers with limitations on time and location of article creation.
In microservice design patterns and restful’s based on my opinion one of the best practices has focused on resource management, a single endpoint with a concentration on objects is better than having multiple endpoints or having complex business logic.
Now, if you want to handle all these policies in one place (e.g. GET endpoint read permission) how you can do this?
we suppose you use the scoped policy or ability grant definition instead of having multiple endpoints or having complex business logic.
look at these ability definitions:
import { AccessAbility } from 'abacl';
const abilities: AccessAbility[] = [
{ // the admin ability can do `any`thing with `all` objects
subject: 'admin',
action: 'any',
object: 'all',
},
{ // ability scoped by published articles
subject: 'guest',
action: 'read',
object: 'article:published',
},
{ // the manager can to `any`thing with articles
subject: 'manager',
action: 'any',
object: 'article',
},
{ // the user can create own articles (scoped by own)
subject: 'user',
action: 'create:own',
object: 'article',
field: ['*', '!owner'], // filters the input data of the user
location: ['127.0.0.1', '192.168.1.0/24'],
time: [
{ // from 8AM to 6PM
cron_exp: '* * 8 * * *', // every day from 8AM
duration: 10 * 60 * 60, // 10 hours in seconds
},
],
},
{
subject: 'user',
action: 'read:own',
object: 'article',
},
{ // the user can read shared articles without `id` properties
subject: 'user',
action: 'read:shared',
object: 'article',
filter: ['*', '!id'], // filters output data
},
{
subject: 'user',
action: 'delete:own',
object: 'article',
},
{
subject: 'user',
action: 'update:own',
object: 'article',
field: ['*', '!owner'],
},
];
Feel free to comment on us
Comments