accesscontrol icon indicating copy to clipboard operation
accesscontrol copied to clipboard

Published 20 hours ago verified publisher icon onury

Give unique User rights for unique "resource"

Open dominikstohl opened this issue 5 years ago • 8 comments

Hey everyone, your project looks very nice. But I have a special question: we have something like container-entities for collect sub-entities. A has differend B's and B's have different C's, everything 1:n. We want to grant access to a special User for a special entitiy, but its not the owner. Is this possible? Thank you! Dominik

dominikstohl avatar Jul 03 '18 09:07 dominikstohl

Also interested in this.

AleksandarFaraj avatar Aug 04 '18 22:08 AleksandarFaraj

@dominikstohl If I understood correctly, you need a policy/attribute based access control framework. accesscontrol works purely with roles(RBAC)

iNDicat0r avatar Aug 17 '18 22:08 iNDicat0r

@iNDicat0r accesscontrol is not purely RBAC, as it states in the docs.

jsardev avatar Oct 05 '18 10:10 jsardev

@sarneeh I agree, but in accesscontrol permissions are assigned relative to the role, something which isn't a requirement in ABAC systems.

iNDicat0r avatar Oct 05 '18 13:10 iNDicat0r

@iNDicat0r ABAC is not too familiar to me so I didn't know the difference. Btw - are you aware of some ABAC example implementations? I was looking for something like that but can't find anything in the Node.js world.

jsardev avatar Oct 05 '18 17:10 jsardev

@sarneeh https://github.com/ory/ladon is written in Go and is inspired by AWS IAM. You can write a standalone authorization server on top of it and use your nodejs app to communicate and ask for authorization.

iNDicat0r avatar Oct 11 '18 01:10 iNDicat0r

This library doesn't implement ABAC. It gives simplified version of managing roles. Can you define attribute check in the library? You can't. See #8 and #12.

ABAC means that you need to validate attributes properly that have or not have certain values. Here's for example a library, that supports proper ABAC approach - https://github.com/YLuchaninov/PolicyLine#differences-from-other-libraries. Wiki page for reference.

serhiisol avatar Dec 20 '18 08:12 serhiisol

In my app, i have defined that user are like role that are prefix by "u-" in there name. So you can have a user u-admin that inherite from the role admin. It's not perfect but it works fine. Update library to handle role and user would be great. For access on a specific resource, you need to give own grant on a resource and store on your database which resources of this type the user have access. In my case i use a table with field resource_type and resource_pkey. So i can search for all resources of type foo that the user have access.

By doing this, you are clearly out of the scope of this library in it's actual version and it involve some development of your part but i haven't find better solution, except to used a big authorization solution like Keycloak.

scandinave avatar Jan 09 '19 14:01 scandinave