Access Control Design Models

Question

Access Control Design Models

I am working on a PHP application and I would like to add access control to some of my objects. I did not mark this question as PHP, since I feel that this question is language independent.

Say I have a "class of service"

abstract class Service {


}

Many services use this as a base class. One pseudo example:

class Companies extends Service {

  function getCompanyInfo($id) {
      //...
  }

}

Later on the road, I want to add access control. The getCompanyInfoById example is a read operation, so this will require the “read” privilege.

At this point, I can implement this as follows:

Add accesscontrol to the service class. Each method (for example, getCompanyInfoById) must first call the hasPrivilege method before completing the operation and returning the result.
- -, .
"" .

:

, , . , .
, . , .
, , . "", .

?

+4

design-patterns authorization access-control rbac abac

Evert 17 . '09 11:10

3

Java EE . "", (URL- , EJB) , . (, LDAP) , .

, "" , .

-, , - .

, , 3 , -.

+3

djna 17 . '09 11:24

... , , , : . , (, CanCanCan Ruby Spring Security Java #). -. , -. , - (///). - . - (GDPR, Open Banking...) (, -, VIP...). .

, (abac), / (rbac). RBAC . , , . . ABAC , , () . ABAC , (xacml alfa Rego). (AWS Google) ( Google IAM AWS IAM ).

ABAC:

: , /API
: , API, .
: , , , , /
: ABAC .

, ABAC ALFA, NIST ABAC.

0

David Brossard 07 . '19 15:50

Daniele Teti · Accepted Answer · 2009-12-17T15:19:58+0000

1.

.

class Service
{
  var $ACL = //some hash map with acl
}

class Companies extends Service
{

  function getCompanyById($id)
  {
    //real code
  }
}

class SafeCompanies extends Companies
{
//If a method must be "protected" with an ACL, you must override them in this way
  function getCompanyById($id)
  {
    $this->check('read'); //raise an exception if current user haven't READ privilege
    parent::getCompanyById($id);    
  }  
}

2

Access Control Design Models

More articles: