Collaborate Disseminate
Given we use ABAC in portions of our security systems like the WAF to partially restrict traffic based on attributes like IP address/User Agent String. While they can be faked internally tagging can be restricted on cloud providers like AW… Continue reading Why has the adoption of ABAC been so slow?
I am trying to secure automatic infrastructure provisioning but I am having a hard time designing a proper access policy that would not create a single point of failure (I tried and failed about a year ago already).
How best to design a pe… Continue reading Permission model for automated infrastructure provisioning
An organisations has multiple service tiers. One of the services in a core tier exposes APIs to the tier above. The core tier services do RBAC, consequently an end customer token is required in order to access their APIs.
There are 2 cat… Continue reading RBAC for system to system access
I am not an infosec professional, but I’m working on a project that requires designing and implementing a permission system for a customer. The system the customer proposes is as follows:
Users are assigned to roles such as viewer, editor… Continue reading Is it a good idea to combine DAC with RBAC in this way?
I am trying to implement RBAC to a system but I endup creating an ACL instead due to my low understanding of this archtecture.
What I already have implemented:
Created User model.
Created Groups with different permissions from User model…. Continue reading Attempting to Implement RBAC from ACL
The SecurID Governance & Lifecycle Business Role Manager module ensures that the right people have access to the right resources. By defining roles, businesses can enhance their security, simplify onboarding, and ensure that the right users have ac… Continue reading Essentials of Role-Based Access Control
I am a developer who’s just starting to learn about authorization and authentication for web apps. I am bit unclear on the concept of managing access control to parts of the app, and where is the best place to have access control managed, … Continue reading Should access control be managed from inside application?
I wrote a web application that is using AD authentication (Windows) and has its own authorization module (RBAC-like). Back-end is Microsoft SQL Server.
A DBA on my team is not happy with us using a service account to talk to the database, … Continue reading Is using EXECUTE AS impersonation for user authentication in a web application a good idea?
I have a backend with a simple RBAC implementation. We have a list of permissions, each permission is associated with a list of roles, each user is given one or more roles.
Is it ok to send this permissions/roles mapping to the browser, so… Continue reading Is it ok to send roles and permissions data to the browser in a RBAC system?
When implementing an authorization system like RBAC/DAC, or XACML, or the AWS IAM authorization model, I see that I can’t totally decouple business logic from authorization when there are fine-grained business restrictions.
We don’t use OR… Continue reading How to implement MySQL query fo RBAC authorization with fine grained business restrictions in role?