Login/Register
Entity-level access control in a hierarchical data scheme
Asked Answered
claims-based-identityaccess-controlrole-base-authorizationrole-basedrole-based-access-control
C

1

7

I have a requirement for entity-level authorization that's frankly over my head. I'm hoping to get some guidance on this permission structure, how I might implement it in .NET 4.5, and if there are ways I could improve it.

Here it goes:

I have a set of data structured as follows:

enter image description here

Where

  • a Fleet is a collection of zero or more Cars.
  • a Fleet can contain other Fleets

Fleets can be later reorganized and moved around for organizational purposes.

I have several roles with permissions in the system that pertain to these entities:

  • Owner: Can add or remove cars from the fleet
  • Manager: Assigns drivers to cars
  • Driver: is allowed to simply drive the car
  • Mechanic: is allowed to fix the car

The authorization logic allows for a User in the system to be granted access to either a Fleet or a Car with one or more roles.

Here are some scenarios to help explain:

  1. If I grant User Jim access to Fleet #5 with the role of Driver, he is allowed to drive any Car under fleet #2. The resulting permissions allow him to drive cars #4, 5, 6
  2. If I grant user Maura access to Car #1 as a Mechanic, the resulting permissions allow her to fix only car #1.
  3. If I grant user Sarah access to Fleet #2 with the roles Owner and Mechanic, she is allowed to add and remove cars to fleets #2, 4, 5 AND she is allowed to fix cars #1, 2, 3, 4, 5, 6.
  4. If I grant user Jeremy access to fleet #1 as an Owner AND to Fleet #6 as a Driver, the resulting permissions allow him to add and remove cars to all fleets AND drive cars #7, 8. He cannot drive any other car other than #7 and 8.

What is a good approach to this entity-level authorization?

If it matters, we're using .NET 4.5.1 with EF6 Code First, built on top of ASP.net Boilerplate.

Corfu answered 8/2, 2017 at 18:14 Comment(1)
I'm late to the game but this fine-grained authorization solution may help you: zanzibar.academyTadio
H
1

The fine-grained authorization you want to implement reminds me of Access Control Objects (ACOs - Something that is wanted) and Access Request Objects (AROs - Something that wants something) in CakePHP's Access Control List (ACL) description with some variations:

Here it is in a nutshell:

You have ACOs (Fleets and Cars) that will be requested by AROs (Owner, Manager, Driver, Mechanic). If you want to know if a requester has access to an object, you find the path to that object (Can John access "Car #3"?: find "Car #3"'s path from root: Fleet #1 > Fleet #2 > Car #3), then assign the default permission "Deny" to each node but switch it to "Allow" if that node is in the requester's allowed node list. If the last node ends up with "Allow" then, well... allow, else deny.

Understanding the logic first is key. Implementation in any language comes second.

I hope it points you in the right direction.

Cheers,

Hocuspocus answered 6/3, 2017 at 15:31 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.