rbac
PHP-RBAC is an authorization library for PHP. It provides developers with NIST Level 2 Standard Role Based Access Control and more, in the fastest implementation yet.
PhpRbac.net | PHP Role Based Access Control Library php-rbac is the de-facto php nist level 2 standard hierarchical role based access control library
What is the best database schema to track role-based access controls for a web application?
I am using Rails, but the RBAC plugin linked by Google looks unmaintained (only 300 commits to SVN; latest was almost a year ago).
The concept is simple enough to implement from scratch, yet complex and important enough that it's worth getting right.
So how do others architect and implement their RBAC model?
Source: (StackOverflow)
Basic deal is, we have a custom built "kickstart" for our projects. For this we are looking at redoing the user control. I know there are a lot of questions out there about general rbac, but I cannot find any on hierarchical rbac?
Our requirements are:
- Roles can be assigned to group permissions
- If the role does not have a permission entry then it is automatically denied
- A user can be given overriding permissions
- A users overriding permissions is either a grant or deny
- If a user is explicitly denied a permission no matter what roles say "granted" the override wins.
- Users can have multiple roles
- Roles can have hierarchy
- Roles can inherit from other roles (e.g. A "Forum Super Moderator" role is a "Forum Moderator", and a "System Maintainer", and the "Forum Moderator" role already inherits from the "Forum User" role )
- Roles that inherit from another role that deny or grant a privilege override their child permission
- Permissions are grouped by "module" (e.g. a "Blog" module can have an "edit entry" permission, and a "Forum" module can have an "edit entry" permission and they will not clash)
- There is a "Everything and Anything" permission that automatically grants full access
So, with those requirements out of the way, here's how I am thinking of doing it.
Table: Users
id | int | unique id
Table: Roles
id | int | unique id
--------------|---------------------------------------------
title | varchar | human readable name
Table: Permissions
id | int | unique id
--------------|---------------------------------------------
module | varchar | module name
--------------|---------------------------------------------
title | varchar | human readable name
--------------|---------------------------------------------
key | varchar | key name used in functions
Table: Role_User
role_id | int | id from roles table
--------------|---------------------------------------------
user_id | int | id from users table
Table: Permission_Role
id | int | unique id
--------------|---------------------------------------------
permission_id | int | id from permissions table
--------------|---------------------------------------------
role_id | int | id from roles table
--------------|---------------------------------------------
grant | tinyint | 0 = deny, 1 = grant
Table: Permission_User
id | int | unique id
--------------|---------------------------------------------
permission_id | int | id from permissions table
--------------|---------------------------------------------
user_id | int | id from users table
--------------|---------------------------------------------
grant | tinyint | 0 = deny, 1 = grant
Well, actually that's half of it, that part I am sure about, the part I am getting stuck on is the hierarchical roles.
So, how do I design this?
My idea is that to save on the database queries I am just going to build the permission matrix on login and save it to session so the queries don't have to be too simple as they are only run once for each login.
The issue I see is that, I am going to need to know the hierarchy of the roles so I can resolve the inherited roles permissions before I resolve the inheriting.
The user permissions is the easy part, the per-user permissions are essentially the finally resolved group.
Source: (StackOverflow)
For instance, if I have this user:
> db.system.users.find()
{ "user" : "testAdmin", "pwd" : "[some hash]", "roles" : [ "clusterAdmin" ], "otherDBRoles" : { "TestDB" : [ "readWrite" ] } }
And I want to give that user the dbAdmin permissions on the TestDB database, I can remove the user record then add it back with the new permissions:
> db.system.users.remove({"user":"testAdmin"})
> db.addUser( { user: "testAdmin",
pwd: "[whatever]",
roles: [ "clusterAdmin" ],
otherDBRoles: { TestDB: [ "readWrite", "dbAdmin" ] } } )
But that seems hacky and error-prone.
And I can update the table record itself:
> db.system.users.update({"user":"testAdmin"}, {$set:{ otherDBRoles: { TestDB: [ "readWrite", "dbAdmin" ] }}})
But I'm not sure if that really creates the correct permissions - it looks fine but it may be subtly wrong.
Is there a better way to do this?
Source: (StackOverflow)
In my Yii application, I want my authorization hierarchy and business rules to be written in code and I want my users, roles and permissions to be stored in the database. This separates my business logic (which should be code) from the information it should use (which should be data). It appears that Yii does not support this.
In Yii you have the option of either putting your business logic into files (CPhpAuthManager) or into the database (CdbAuthManager). Either way, you are treating your business logic as data; Yii will actually retrieve your business logic as strings and then run it via an eval, which seems like a terrible way to do this.
What is the reason for this?
How can I achieve the outcome I want?
Source: (StackOverflow)
Is there a way to get a list of roles a Windows authenticated user is in, without explicitly checking by WindowsPrincipal.IsInRole method?
Source: (StackOverflow)
I have users that each are associated with a list of real estate properties they are allowed to access. Multiple users may have permission to view the same site.
How would I set this up in django?
I have the:
class UserProfile(models.Model):
user = models.OneToOneField(User)
last_session_time_online = models.IntegerField()
total_time_online = models.IntegerField()
def __unicode__(self):
return self.user
and the
class Site(models.Model):
site_name = models.CharField(max_length = 512)
...Other stuff...
def __unicode__(self):
return self.user
Source: (StackOverflow)
I am about to implement access control in my ZF2 project. I am checking both RBAC and ACL.
Which one would be best suited over the other? and why?
And which one would be supported well by Zend in the future?
I googled it, but couldn't get answers.
Source: (StackOverflow)
django guardian https://github.com/lukaszb/django-guardian is a really well written object-level permissions app; and I have actually read up on and used quite a number of other django object level permissions app in various django projects.
In a recent project that I am working on, I decided to use django guardian but I have a model design question relating to the pros and cons of two possible approaches and their respective implications on sql query performance:-
using django.contrib.auth.models.Group and extending that to my custom organization app's models; or
using django.contrib.auth.models.User instead and creating an m2m field for each of the organization type in my organization app.
Approach #1
# Organisation app's models.py
from django.contrib.auth.models import Group
class StudentClass(models.Model):
name = models.CharField('Class Name', max_length=255)
groups = models.ManyToManyField(Group, blank=True)
size = models.IntegerField('Class Size', blank=True)
class SpecialInterestGroup(models.Model):
name = models.CharField('Interest Group Name', max_length=255)
groups = models.ManyToManyField(Group, blank=True)
description = models.TextField('What our group does!', blank=True)
class TeachingTeam(models.Model):
name = models.CharField('Teacher Team Name', max_length=255)
groups = models.ManyToManyField(Group, blank=True)
specialization = models.TextField('Specialty subject matter', blank=True)
In this approach, when a user is added to a group (django group) for the first time, the group object is created and also assigned to one of these 3 classes, if that group object does not yet belong to the class it is added into.
This means that each StudentClass object, sc_A, sc_B etc, can possibly contain a lot of groups.
What that means is that for me to ascertain whether or not a specific user (say myuser) belongs to a particular organization, I have to query for all the groups that the user belong to, via groups_myuser_belongto = myuser.groups and then query for all the groups that are associated to the organization I am interested in, via groups_studentclass = sc_A.groups.all() and since I now have 2 lists that I need to compare, I can do set(groups_myuser_belongto) && set(groups_studentclass), which will return a new set which may contain 1 or more groups that intersect. If there are 1 or more groups, myuser is indeed a member of sc_A.
This model design therefore implies that I have to go through a lot of trouble (and extra queries) just to find out if a user belongs to an organization.
And the reason why I am using m2m to groups is so as to make use of the Group level permissions functionality that django guardian provides for.
Is such a model design practical?
Or am I better off going with a different model design like that...
Approach #2
# Organisation app's models.py
from django.contrib.auth.models import User
class StudentClass(models.Model):
name = models.CharField('Class Name', max_length=255)
users = models.ManyToManyField(User, blank=True)
size = models.IntegerField('Class Size', blank=True)
class SpecialInterestGroup(models.Model):
name = models.CharField('Interest Group Name', max_length=255)
users = models.ManyToManyField(User, blank=True)
description = models.TextField('What our group does!', blank=True)
class TeachingTeam(models.Model):
name = models.CharField('Teacher Team Name', max_length=255)
users = models.ManyToManyField(User, blank=True)
specialization = models.TextField('Specialty subject matter', blank=True)
Obviously, this model design makes it really easy for me to check if a user object belongs to a particular organization or not. All I need to do to find out if user john is part of a TeachingTeam maths_teachers or not is to check:
user = User.objects.get(username='john')
maths_teachers = TeachingTeam.objects.get(name='Maths teachers')
if user in maths_teachers.users.all():
print "Yes, this user is in the Maths teachers organization!"
But what this model design implies is that when I add a user object to a group (recall that I want to use django guardian's Group permissions functionality), I have to make sure that the save() call adds the user object into a "Maths Teachers" group in django.contrib.auth.models.Group AND into my custom TeachingTeam class's "Maths Teachers" object. And that doesn't feel very DRY, not to mention that I have to somehow ensure that the save calls into both the models are done in a single transaction.
Is there a better way to design my models given this use case/requirement - use django groups and yet provide a way to "extend" the django's native group functionality (almost like how we extend django's user model with a "user profile app")?
Source: (StackOverflow)
I'm currently developing a member administration for a local association here and I'm developing the database schema at the moment. I'd like to share it with you to improve it and give other an example of a Role Based Access Model (RBAC). I'd appreciate any constructive criticism especially about the relationships I used between the tables.
Link to highres: http://i.stack.imgur.com/WG3Vz.png
Heres the schema: 
How it works:
I'm mapping existing clients (actually members of the association) from an external application into my administration application. (clients table)
The association is structured in Division, Subdivisions, etc. (intern_structures table). Every client can be a member in multiple Division, Subdivisions, Sections etc.
Every client can have one or multiple roles in such memberships (divisions,...) like President, Actuary, Treasurer etc. and each role has certain privileges which the owner of the role can apply on others in his Division,Subdivision,Section etc.
A credential is connected to a certain action of an application. The owner of the credential may execute this action on other members in his scope. There can be multiple "standalone" applications but they all share the same authentication/authorization system.
An application is structured in Modules/Submodules/Actions etc. An example could be a "Personal Details" module and this module contains a submodule called "Picture" and you could apply the actions "view,delete,edit" on this picture. But you can't delete any picture unless the person whose picture you try to delete is in a division/section where you have the adequate role to do so.
The internal and application structure are both trees, implemented as adjacency list and nested set. The adjacency list ensures the integrity and the nested set allows me to traverse the tree quickly.
An exception is that you can give someone certain credentials directly (client_credentials). This is needed if someone needs to perform certain actions on somebody who isn't in his divsion/section.
So, someone can be a member in multiple divsions/sections and obtain multiple roles in every division/section he's a member of. I'm going to merge all credentials someone has through his multiple roles. And credentials are always positive, means restrictive credentials are not possible.
Source: (StackOverflow)
I'm trying to use Apache Shiro framework to secure my web application (UI is based on Vaadin 6). Looked through all the examples on Shiro's site and also googled for hours, but I can't find a clean way to deal with the following requirements.
Assuming application is a kind of project management tool, where users are creating activities, which belongs to particular departments in company hierarchy. Each user may work in several departments and has different security roles in each department. Example:
Department A - User is 'Manager' here
Department B
Department C - User is 'Admin' here
Department D
User is 'Manager' in Department A
User is 'Admin' in Department C
User should also inherit 'Admin' role for Department D (which is ancestor of Department C).
So, basic permission check (assuming I want to view activity belonging to some department) would be to:
- Check if activity user is trying to view belongs to department user has a role in;
- Check that user has required permission basing on his role in this department.
I'm current stuck in understanding of how to implement not only just "system wide role", but "role in this particular department" concept.
How can I transform above example to permission string like "activity:view:123"? And how will I check the permission in my business logic?
One more doubt is implementation with Shiro, I'd like to use some out-of-the-box solution will minimal efforts of providing my own implementations. However, it seems that Shiro's built-in implementations are designed for simple cases only. Is there any example of complex authorization implementation to start with (which can cover above case)?
Source: (StackOverflow)
In my Yii2 application I'm trying to force all users to be authenticated. If they're not already authenticated they should be redirected to the login page.
In Yii1 I did this by creating a class that would check if a user was logged in and attaching that class to the onBeginRequest behavior in my main config file.
// Yii 1
'behaviors' => array(
'onBeginRequest' => array(
'class' => 'application.components.RequireLogin',
)
),
How can I get the same behavior in Yii2? I know I can use behavior to do this, but I wan't to add this behavior to my main config file so all requests are first checked for authentication.
The working behaviors method looks like this:
// Yii2
public function behaviors() {
return [
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'actions' => ['login', 'error'],
'allow' => true,
],
[
'allow' => true,
'roles' => ['@'],
],
],
],
];
}
Source: (StackOverflow)
I'm diving into RBAC while designing new and rather big/complex site.
I'm trying to figure out if to create a task or simply an operation with biz rule.
Now, I've read most if not all existing documentation. The current documentation says that "a task consists of operations". This wiki article says that the different terms are simply naming conventions and the only limitation that exists is structural one - roles must include tasks (or other roles); tasks should include operations (or other tasks) and operations is the atomic term that is not further composed by other entities.
I've also read the relevant sections in the "Agile web dev..." and "Yii cookbook" books - both do not shed further light on this issue (at least as seen through my glasses).
Lets go to my example where I'll present the question. Actually, lets use an example similar to that demonstrated in most of the documentation resources mentioned above: Lets say I have a blog post and I want/need to have its author be able to "update own post". Now, why should this be a task as commonly demonstrated in the documentation resources and not an operation with a biz rule?
I think that the question above reveals the inclear definition of a "task" (in the RBAC context of course).
Please help me distill a better definition for an RBAC task.
EDIT:
I was suggested the following definitions of the mentioned terms that help conceptualize them in a useful way. In short and in its simplest form: operations are the basic building blocks. They are the material developers work with and only them. Developers compose tasks of and on top of operations. Roles are composed of tasks, like a set of tasks. Roles and tasks are what the site administrators should play with - assign and revoke to users but not operations.
That's a nice way to look and grasp those entities (roles, tasks and operations).
Do you have another option to conceptualize differently? Any comments will be appreciated.
TIA!
Boaz.
Source: (StackOverflow)
Scenerio:
Using Yii-rights + Yii-user module in my project. In Rights, I generated operations based on my controller action, under update I added a child UpdateOwn.
For UpdateOwn, the bizrule is suppose to be a simple comparison that the logged in user's ID is equal to $model->user_id field.
Problem:
I understand yii checkaccess allow you to pass in variables as parameters and comparing with your defined bizrule. But how does it work for Yii-rights module? How or what are the data/params passed in to be used in bizrule? How can I define or pass my own data/params?
Source: (StackOverflow)
I am learning Yii and am trying to develop RBAC now the issue is that I have created roles and so on executed that script via shell I have database tables in place and that Roles and everything gets populated. now I donot know why but
if(Yii::app()->user->checkAccess('admin'))
echo 'Admin';
else
echo 'No Admin';
always return No admin .What I am trying to do is display a different menu based on user type i.e it is admin or reader or manager and so on. but this fails.
I am attaching my role assignment also here
<?php
class RbacCommand extends CConsoleCommand
{
private $_authManager;
public function getHelp()
{return <<<EOD
USAGE
rbac
DESCRIPTION
This command generates an initial RBAC authorization hierarchy.
EOD;
}
/**
* Execute the action.
* @param array command line parameters specific for this command
*/
public function run($args)
{
echo "SHELLLLLLLLLL.\n";
//ensure that an authManager is defined as this is mandatory for creating an auth heirarchy
if(($this->_authManager=Yii::app()->authManager)===null)
{
echo "Error: an authorization manager, named 'authManager'
must be configured to use this command.\n";
echo "If you already added 'authManager' component in
application configuration,\n";
echo "please quit and re-enter the yiic shell.\n";
return;
}
//provide the oportunity for the use to abort the request
echo "This command will create three roles: Admin, Manager, and Reader and the following premissions:\n";
echo "create, read, update and delete Hotels\n";
echo "create, read, update and delete Items\n";
echo "create, read, update and delete Users\n";
echo "create, read, update and delete Category\n";
echo "Would you like to continue? [Yes|No] ";
//check the input from the user and continue if they indicated yes to the above question
if(!strncasecmp(trim(fgets(STDIN)),'y',1))
{
//first we need to remove all operations, roles, child relationship and assignments
$this->_authManager->clearAll();
//create the lowest level operations for users
$this->_authManager->createOperation("createUser","create a new user");
$this->_authManager->createOperation("readUser","read user profile information");
$this->_authManager->createOperation("updateUser","update a users information");
$this->_authManager->createOperation("deleteUser","remove a user from a Hotel");
////create the lowest level operations for projects
$this->_authManager->createOperation("createHotel","create a new Hotel");
$this->_authManager->createOperation("readHotel","read Hotel information");
$this->_authManager->createOperation("updateHotel","update Hotel information");
$this->_authManager->createOperation("deleteHotel","delete a Hotel");
////create the lowest level operations for Category
$this->_authManager->createOperation("createCategory","create a new Item");
$this->_authManager->createOperation("readCategory","read Item information");
$this->_authManager->createOperation("updateCategory","update Item information");
$this->_authManager->createOperation("deleteCategory","delete an Item from a Hotel");
////create the lowest level operations for issues
$this->_authManager->createOperation("createItem","create a new Item");
$this->_authManager->createOperation("readItem","read Item information");
$this->_authManager->createOperation("updateItem","update Item information");
$this->_authManager->createOperation("deleteItem","delete an Item from a Category");
////create the reader role and add the appropriate permissions as children to this role
$role=$this->_authManager->createRole("reader");
$role->addChild("readUser");
$role->addChild("readHotel");
$role->addChild("readCategory");
$role->addChild("readItem");
$role->addChild("createUser");
////create the member role, and add the appropriate permissions, as well as the reader role itself, as children
$role=$this->_authManager->createRole("manager");
$role->addChild("readUser");
$role->addChild("readHotel");
$role->addChild("readCategory");
$role->addChild("readItem");
$role->addChild("createHotel");
$role->addChild("createCategory");
$role->addChild("createItem");
$role->addChild("updateHotel");
$role->addChild("updateCategory");
$role->addChild("updateItem");
$role->addChild("deleteHotel");
$role->addChild("deleteCategory");
$role->addChild("deleteItem");
////create the owner role, and add the appropriate permissions, as well as both the reader and member roles as children
$role=$this->_authManager->createRole("admin");
$role->addChild("reader");
$role->addChild("manager");
$role->addChild("createUser");
$role->addChild("updateUser");
$role->addChild("deleteUser");
echo 'Making Afnan admin';
$this->_authManager->assign('admin','3');
echo 'Making Riaz Manager';
$this->_authManager->assign('manager','2');
echo 'Sucess';
//provide a message indicating success
echo "Authorization hierarchy successfully generated.";
}
}
}
?>
Source: (StackOverflow)