Authorization Model: Context of Role?

389 views Asked by At

I am currently attempting to design an Authorization Model that has the following components:

Privileges - an action that can either be granted or denied to a user/group

Roles - a collection of privileges; roles can be associated with a user or group

Security Objects - the entity to which security is applied

Object Owners - the owner of a security object

Statuses - an attribute that represents the state of a security object

Users - standard consumer of the service; can be denied or granted access to do things

Groups - a collection of users sharing a common thing; roles can be assigned to groups; privileges can be assigned to groups

My questions is as follows: Is there a way to properly model the context of a role with the current components that I presented above?

For instance, let's say i have the current authorization statement:

Tim can see Mary's profile information because Tim is Mary's friend.

I can dissect this statement into the model components:

User: Tim
Security Object: profile information
Object Owner: Mary
Privilege: view
Role: friend
Group: N/A?
Status: N/A

One thing that this dissection does not attribute is that Tim is a friend of Mary

Is there a component that I can add to this model that will capture this context ("of Mary"), or is there a way I can re-represent the privilege statement using my pre-existing auth model components? What is the best practice?

1

There are 1 answers

1
David Brossard On BEST ANSWER

Actually, you should not attempt to implement a new authorization model. There is already a good model called attribute-based access control (or ABAC - see the SO tag and ).

ABAC is an authorization model that:

  • is defined by NIST, the National Institute of Standards and Technology, the very same organization that defines RBAC (role-based access control)
  • uses attributes to define access control logic. Attributes
    • are a key-value pair e.g. role == manager
    • can be multi-valued e.g. citizenship = Canadian, Swedish
    • can describe anything e.g. the requesting user, the targeted object, the action, relationships, time, location...
  • uses policies to define access control logic. These policies
    • are written in XACML ()
    • use attributes to define the access control scope
  • enables externalized authorization: essentially your authorization logic is decoupled from your business logic. This is great because you can develop your apps independently of your security.

Let's take your example:

Tim can see Mary's profile information because Tim is Mary's friend.

The authorization requirement would therefore be:

A user can view another user's profile if both users are friends.

In ABAC, you have to identify your attributes. You do this in your question which is great though your analysis is role-biased. Let's take it again. The attributes I see are:

  • an action id (view)
  • a resource type (user profile)
  • a friend list (Tim's friend list)
  • a profile owner (Mary)

With these attributes, I can rewrite your requirement in a broken-down way:

A user can do the action actionId==view on a resource of type==user profile if profile.owner is in the user's friend list.

You can then use ALFA () to implement the policy in ALFA and then XACML.

namespace com.axiomatics{
    /**
     * A user can view another user's profile...
     */
    policy viewProfile{
        target clause actionId=="view" and resourceType=="user profile"
        apply firstApplicable
        /**
         * Allow if both users are friends.
         */
        rule allowIfFriends{
            condition stringIsIn(stringOneAndOnly(subjectId), friendList)
            permit
        }
    }
}

The XACML outcome (in XML) is:

<?xml version="1.0" encoding="UTF-8"?>
 <!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). 
 Any modification to this file will be lost upon recompilation of the source ALFA file-->
<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
    PolicyId="http://axiomatics.com/alfa/identifier/com.axiomatics.viewProfile"
    RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
    Version="1.0">
    <xacml3:Description>A user can view another user's profile...</xacml3:Description>
    <xacml3:PolicyDefaults>
        <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
    </xacml3:PolicyDefaults>
    <xacml3:Target>
        <xacml3:AnyOf>
            <xacml3:AllOf>
                <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                    <xacml3:AttributeValue
                        DataType="http://www.w3.org/2001/XMLSchema#string">view</xacml3:AttributeValue>
                    <xacml3:AttributeDesignator 
                        AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                        DataType="http://www.w3.org/2001/XMLSchema#string"
                        Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
                        MustBePresent="false"
                    />
                </xacml3:Match>
                <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                    <xacml3:AttributeValue
                        DataType="http://www.w3.org/2001/XMLSchema#string">user profile</xacml3:AttributeValue>
                    <xacml3:AttributeDesignator 
                        AttributeId="resourceType"
                        DataType="http://www.w3.org/2001/XMLSchema#string"
                        Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                        MustBePresent="false"
                    />
                </xacml3:Match>
            </xacml3:AllOf>
        </xacml3:AnyOf>
    </xacml3:Target>
    <xacml3:Rule 
            Effect="Permit"
            RuleId="http://axiomatics.com/alfa/identifier/com.axiomatics.viewProfile.allowIfFriends">
        <xacml3:Description>Allow if both users are friends.</xacml3:Description>
        <xacml3:Target />
        <xacml3:Condition>
            <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in" >
                <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only" >
                    <xacml3:AttributeDesignator 
                        AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
                        DataType="http://www.w3.org/2001/XMLSchema#string"
                        Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                        MustBePresent="false"
                    />
                </xacml3:Apply>
                <xacml3:AttributeDesignator 
                    AttributeId="friendList"
                    DataType="http://www.w3.org/2001/XMLSchema#string"
                    Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                    MustBePresent="false"
                />
            </xacml3:Apply>
        </xacml3:Condition>
    </xacml3:Rule>
</xacml3:Policy>