Best Role-Based Access Control (RBAC) database model

Question

What is the best database schema to track role-based access controls for a web application?

I am using Rails, but the RBAC plugin linked by Google looks unmaintained (only 300 commits to SVN; latest was almost a year ago).

The concept is simple enough to implement from scratch, yet complex and important enough that it's worth getting right.

So how do others architect and implement their RBAC model?

Answer 1

You can use Restful ACL Rails plugin.

Answer 2

For .net applications you should look at something like Visual Guard http://www.visual-guard.com/ to avoid having to handle permissions and roles from scratch.

Also for .net, you have the membership and role providers and authorisation handled with configuration. http://www.odetocode.com/Articles/427.aspx

Answer 3

Role Requirement works with Restful Authentication very well to provide role-based auth functions and is well-maintained.

Answer 4

To my rather basic knowledge in that area, the basic actors of an RBAC are:

• Resources.
• Permissions.
• Users.
• Roles (i.e. Groups).

Resources <- require -> (one or many) Permissions.

Roles <- are collections of -> (one or many) Permissions.

Users <- can have -> (one or many) Roles.

The tables for such a model would be:

• permission
• role
• user
• role_permission
• user_role

Now you might want to include resources here as well if you want users of your application to be able to configure which permissions a resource need. But I never needed that. Hope that helps.

Answer 5

I happen to be working on the RBAC sub-system here at work at them moment... what a coincidence.

My model is based on the building blocks of the different entities in the system that require permissions, be they attributes to view/update or actions to perform. There are also, of course, different roles in the system (which can be given to users), and the glue that holds the whole thing together is the access rule, which connects a specific role, a specific permission-needing entity and the permission granted. An access rule might look like these:

rule 14: guest role + page name + read permission
rule 46: approver role + add column + execute permission

and so on. I'll leave the ERD as an exercise to the reader ;-) if you have questions, leave a comment.

Yuval =8-)

Answer 6

I really like this blog post, http://pivotallabs.com/users/nick/blog/articles/272-access-control-permissions-in-rails

Answer 7

I think the answer to your question goes as deep as you wish to go. If you happen to think about putting roles into groups and then associating groups with users wouldn't be enough. Eventually you'll need to give specific permissions to a user on a specific object (a forum, a video etc).

I'm more close to Yuval's answer, all we need is to associate project-wide objects + actions + users. To provide this; a base object (Entity) makes perfect sense. Any object inheriting from Entity can be easily associated with a user + action this way.

As you also wish to keep things simple; my suggestion would be;

• Any object due to rbac restrictions should derive from a base Entity.
• There should be a list of roles, which are one-to-one related with an Entity.
• There should be a list of relations between users and roles.

To take things one step further, I would also reccomend the following (for an automated rbac)

• I use service-based access to my objects. That is; I create respositories of objects (which do the db-access for me) and I access repositories via service functions.
• I use a custom attribute at the beginning of every service function. This defines the required role to access that function.
• I use the User parameter to access to all my service functions, and each service function does a role check before executing itself. Reflection helps me to understand which function I call, and what kind of role it has (via custom attributes)
• I also run an initializer on my application startup, and it checks for all the functions (and their attributes) and sees if I added a new required role. If there's a role I just added and doesn't appear to be on the db, it creates it on db.

But alas, that's just available for .NET, as far as I know Java doesn't have custom attributes so that's not yet likely to be available for Java.

I'd like to come up with some code examples but I'm too lazy to do that. Still if you have questions about my way of rbac; you can ask here and I'll surely reply.