views:

115

answers:

1

We are currently designing a User Roles and Permissions System in our web application (ASP.NET), and it seems that we have several cases that do no fit within the classical Role-Based Access Control (RBAC). I will post several questions, each devoted to a particular case, this being the first post.

We have the following case: not to allow a user view a certain page if the user lives in a particular city. This is a simple case that is coded in the following way:

if (User.City == “Moscow”)
// Allow the user to view the page.
else
// Do not allow the user to view this page.

Though this case is very simple and straightforward, it has nothing to do with the RBAC.

On StackOverflow, someone called this an Attribute-based Access Control.

Under the classical RBAC, it seems that this case should be designed like this: introduce a permission “City where the person lives”, this permission will have a property City. Then create a role, add a permission of type “City = Moscow” to it and the assign the role to the user. Looks extremely cumbersome.

The question is whether it is acceptable to introduce such non-RBAC approaches to our permissions system – does that break the design or not?

This might seem a primitive question, but we found that most applications use pure RBAC, and we started to think that we might be doing something wrong.

Thank you.

A: 

This would be a nice case for an atribute based access control. However, if you don't mind looking at a PHP implementation, Zend Framework has a role based access control that uses assertions to solve more special cases:

http://framework.zend.com/manual/en/zend.acl.advanced.html

A standard rule would allow a role to do an action on a resource. A fourth parameter allows the rule only to apply when some condition is met. In pseudocode:

allow(member, view, page) // standard
allow(member, view, page, userLivesInMoscow) // assertion used

The assertion is an object that is passed the user. It has a method that checks whether the assertion is met:

interface Assertion
 bool public function assert()

class UserLivesIn implements Assertion
 public function UserLivesIn(User, City) ...
 // implementation of assert method comes here

This is a way of implementing what you need.

koen
uh... if you were working in a Linux,PHP environment and had a problem and someone suggested that perhaps it would be easier to solve in an ASP.Net/C#/Windows environment, what would your impression be?
Sky Sanders
@code poet I don't suggest solving it in another environment. I'm only pointing to an example solution in another environment that can be used as inspiration to port to the current environment. 'Looking at' != 'implementing with'.
koen
ok, point taken. note: no downvote. But the reality of the situation is that the ASP.Net membership/roles infrastructure does not lend itself to this type of extension and consideration there of would require redesign, reimplementation of the entire security infrastructure.
Sky Sanders