Role Based Access Control (RBAC) cares about permission or roles?

1.4k views Asked by At

After reading http://en.wikipedia.org/wiki/Role-based_access_control and seeing the way people are building authorization/access control, this question came to my mind "Why we are checking roles of users when checking if they are permitted to do X rather than checking their permissions?"

This is what I understood, Users have Roles, Roles have permission and this is how a user can have permissions (A user cannot explicitly have permissions assigned to it, it gets its permission by having roles)

And I think it makes sense to check for a permission like "AddUser" when processing a request for adding a user but in .Net library and also in a lot of examples in RBAC we see that they check for Roles. Like they check if the user is in the role of Administrators rather than checking if he/she has the permission "AddUser".

Why? It kind of makes more sense to me to check for permissions.

Can someone please illuminate me here?

Thanks

2

There are 2 answers

0
Shawn McKinney On BEST ANSWER

You are correct - checking for roles in applications instead of permissions is not Role-Based Access Control. Spring security and many other prominent access control mechanisms propagate this security anti-pattern. For correct RBAC usage - perform permission checks in your policy enforcement logic.

0
Kunal Khatri On

If we simplify the RBAC system, RBAC is a method of restricting access to 'some sources or applications or some features of applications' based on rights of users of organization. Here, restrictions can be by means of multiple permissions, those are created by administrator to restrict access, and these permissions collectively represents a role, which will be assigned to user.

You might be partially true for your case :)

But consider a case of complex application, where there are 200 permissions, and administrators need to define few set of permissions to represent specific behavior via role, which will create some complex kind of customization and re presentation of the form for that user.

Here it might be required to check via ‘HasRole(‘SomeRole’)’ method to define exact behavior of user.

So, my answer would be, both methods are equally important in RBAC.

1) HasPermission(‘permissionName’)

2) HasRole(‘roleName’)

A good RBAC solution should provide both these methods. There are such tools available in the market, you can check for them.