Collaborate Disseminate
We have an ASP.NET Core MVC web application that signs in users (assuming that this is the correct app type). It is pretty simple, users can sign-in via their Entra ID account. Within Entra ID they can be assigned app roles. Various contro… Continue reading Using ID token for role-base authorization in ASP.NET Core MVC
Given we use ABAC in portions of our security systems like the WAF to partially restrict traffic based on attributes like IP address/User Agent String. While they can be faked internally tagging can be restricted on cloud providers like AW… Continue reading Why has the adoption of ABAC been so slow?
I am trying to secure automatic infrastructure provisioning but I am having a hard time designing a proper access policy that would not create a single point of failure (I tried and failed about a year ago already).
How best to design a pe… Continue reading Permission model for automated infrastructure provisioning
An organisations has multiple service tiers. One of the services in a core tier exposes APIs to the tier above. The core tier services do RBAC, consequently an end customer token is required in order to access their APIs.
There are 2 cat… Continue reading RBAC for system to system access
I am not an infosec professional, but I’m working on a project that requires designing and implementing a permission system for a customer. The system the customer proposes is as follows:
Users are assigned to roles such as viewer, editor… Continue reading Is it a good idea to combine DAC with RBAC in this way?
I am trying to implement RBAC to a system but I endup creating an ACL instead due to my low understanding of this archtecture.
What I already have implemented:
Created User model.
Created Groups with different permissions from User model…. Continue reading Attempting to Implement RBAC from ACL
The SecurID Governance & Lifecycle Business Role Manager module ensures that the right people have access to the right resources. By defining roles, businesses can enhance their security, simplify onboarding, and ensure that the right users have ac… Continue reading Essentials of Role-Based Access Control
I am a developer who’s just starting to learn about authorization and authentication for web apps. I am bit unclear on the concept of managing access control to parts of the app, and where is the best place to have access control managed, … Continue reading Should access control be managed from inside application?
I wrote a web application that is using AD authentication (Windows) and has its own authorization module (RBAC-like). Back-end is Microsoft SQL Server.
A DBA on my team is not happy with us using a service account to talk to the database, … Continue reading Is using EXECUTE AS impersonation for user authentication in a web application a good idea?
I have a backend with a simple RBAC implementation. We have a list of permissions, each permission is associated with a list of roles, each user is given one or more roles.
Is it ok to send this permissions/roles mapping to the browser, so… Continue reading Is it ok to send roles and permissions data to the browser in a RBAC system?