All geek questions in one place

Non RBAC User Roles and Permissions System: City User Verification

We are currently designing a system of user roles and permissions in our web application (ASP.NET), and it seems that we have several cases that are not suitable in classical role-based access control (RBAC) . I will post a few questions, each of which is dedicated to a specific case, this is the first post.

We have the following case : do not allow the user to view a specific page if the user lives in a certain city. This is a simple case, which is encoded as follows:

if (User.City == "Moscow")
// Allow the user to view the page.
else
// Do not allow the user to view this page.

Although this case is very simple and simple, it has nothing to do with RBAC.

In StackOverflow, someone called it attribute-based access control .

Under the classic RBAC, it seems that this case should be designed as follows: enter the permission "City in which a person lives" , this permission will have the City property. Then create a role, add a permission of the type "City = Moscow" to it and assign the role to the user. It looks extremely bulky .

Question : is it permissible to introduce such approaches, other than RBAC, into our permission system - does this violate the design or not?

This may seem like a primitive question, but we found that most applications use pure RBAC, and we began to think that we might be doing something wrong.

Thanks.

+1
source share
1 answer

This will be a good case for attribute based access control. However, if you don't mind looking at the PHP implementation, the Zend Framework has role-based access control that uses statements to solve more special cases:

http://framework.zend.com/manual/en/zend.acl.advanced.html

A standard rule allows a role to perform an action on a resource. The fourth parameter allows the rule to be applied only if a certain condition is met. In pseudo code:

 allow(member, view, page) // standard allow(member, view, page, userLivesInMoscow) // assertion used

An assertion is an object that is passed to the user. This has a method that checks if a statement is true:

 interface Assertion bool public function assert() class UserLivesIn implements Assertion public function UserLivesIn(User, City) ... // implementation of assert method comes here

This is a way to implement what you need.

+1
source

Source: https://habr.com/ru/post/1309858/

More articles:


All Articles