accesscontrol
accesscontrol copied to clipboard
onury
Spec for AccessControl
Hey there, came across this today, and was blown away by the quality of the docs and care put into it. We (our MSFT open source eng team) have been looking into using an access system like this, and your project could be the right answer. One question: I know it says it's a merging of some traditional RBAC schemes and other access schemes, based on the cited NIST paper, but does this have/follow formal specs? If it's a brand new construct that combines ideas of two/more schemes, would you be willing to codify it with a spec that goes a bit beyond API docs?
Hi Daniel. Thanks for your interest.
Actually, in the beginning I just needed a role-based access system that also handles; A) data model (resource) attributes B) controls possession of a resource. Not only that NIST paper, I tried to make sense out of many other articles that discuss these concepts theoretically.
Then it evolved to this point by time. Such as... Role hierarchical inheritance was a must-have but it needed to be done by reference, for performance reasons. It had to support control of deep/nested levels of data attributes. Defining policies should be user-friendly so I added glob support with negation. And so on...
Now I'm thinking of introducing a wider concept of contexts/scopes, time based control (with range and recursion support), hierarchical or linear resource grouping, denying with defined reasons, access logs, and a few more concepts...
So this became a new construct by definition. I like the idea of building a spec out of this, if I'm getting you right. Can I ask what's your use-case and need for this spec?
Our use-case is potential inclusion in an open source, standards-based, encrypted personal datastore for decentralized identity. Part of it includes permission for other identities to access/decrypt data, and we're looking for a solid spec/implementation that could serve as the basis for that part of the project.
On Fri, Jun 29, 2018, 4:54 PM Onur Yıldırım [email protected] wrote:
Hi Daniel. Thanks for your interest.
Actually, in the beginning I just needed a role-based access system with that also handles; A) data model (resource) attributes B) controls possession of a resource. Not only that NIST paper, I tried to make sense out of many other articles that discuss these concepts theoretically.
Then it evolved to this point by time. Such as... Role hierarchical inheritance was a must-have but it needed to be done by reference, for performance reasons. It had to support control of deep/nested levels of data attributes. Defining policies should be user-friendly so I added glob support with negation. And so on...
Now I'm thinking of introducing a wider concept of contexts/scopes, time based control (with range and recursion support), hierarchical or linear resource grouping, denying with defined reasons, access logs, and a few more concepts...
So this became a new construct by definition. I like the idea of building a spec out of this, if I'm getting you right. Can I ask what's your use-case and need for this spec?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/onury/accesscontrol/issues/47#issuecomment-401500784, or mute the thread https://github.com/notifications/unsubscribe-auth/AAICyqmpb4KlRg2ZQ5a3rOrPyN6cx1Bqks5uBr4_gaJpZM4U9gi6 .
Thanks Daniel. I'd like to write specs. This might take some time since I'm really occupied at the time. I'd appreciate any kind of help with this since I'm not experienced in spec-writing. Would you or anyone at your team be interested?