Questions tagged [access-control]
The access-control tag has no summary.
72 questions
3
votes
1
answer
699
views
RBAC vs PBAC vs ACL
I’m trying to clarify the difference between Role-based Access Control, Policy-based Access Control, and Access Control List when designing an authorization system.
I have two scenarios:
Scenario A
I ...
- 43
-1
votes
2
answers
234
views
Efficient access control list for collections of objects returned by REST api
We have a REST api endpoints that return collections of objects where users could perform different types of actions on those objects. We need it to turn on/off different UI options based on that ...
- 123
-2
votes
1
answer
648
views
Storing a large number of user permissions [closed]
I am refactoring an old application which has about 200 user permissions.
Based on access permissions for the user, menu items for webpages will be Enabled or not.
Permissions are also checked on the ...
- 97
0
votes
2
answers
291
views
Implement authorization logic also in frontend or send authorization info along with the resource?
We have an ongoing argument in our team. Please help. Here is the problem:
In our SPA web app, let's say we have a resource which can be edited by only those users who belong to the team of the user ...
- 101
3
votes
1
answer
2k
views
What's the difference between policy vs permission based access control?
I am newbie at these stuff and while I was able to distinguish between role-based vs. policy-based authorization models, I can't seem to understand whether there is one between policy-based vs. ...
- 141
2
votes
1
answer
658
views
Should a Web Application File URL Have Public or Private Access
I am debating whether to give my files a public url or a limited private one.
I am hosting various files for a mobile/web application. These will include product images and videos. Currently only ...
- 191
0
votes
1
answer
87
views
Mimic a leadership metrics for management users
I have role based access control to my applications. I have team leader application where team leader with valid role can view their teams performance metrics. Now my top management wants to get a ...
- 19
9
votes
4
answers
4k
views
Should access control be implemented in controller or repository layer?
I've got a project with an HTTP API which returns data from a database. The layers it goes through to get to the API look like this:
DB -> Repository -> Controller
I'm looking to restrict the ...
- 149
1
vote
0
answers
90
views
How to model ACLs?
There are different kinds of ACLs I've generally implemented:
Does a user have access to a resourcetype(API)?
Does a user have access to a resource(Object)?
Does a resource have access to another ...
- 19
-1
votes
1
answer
578
views
Updating last resource access time when clients perform a GET
We have many clients which, upon start up, request a specific resource on the server using an HTTP API (not RESTful). This resource is - currently, identical for all clients.
Naturally, since the ...
- 101
2
votes
2
answers
3k
views
How to efficiently pass permissions that control view and access of specific front-end elements from backend to the SPA using JWT
I would like to introduce permissions based access control in my Single Page Application (SPA) front-end which authenticates the user with token based authentication (JWT).
Permission Requirement:
...
- 171
3
votes
2
answers
519
views
Where to put domain knowledge for Authorization?
I hope this is the correct SE site for this kind of question.
My team is currently developing an application which IMO needs access control beyond RBAC. Users can have access rights to entities based ...
-1
votes
3
answers
451
views
restricting access to a public setter
My question is how I can achieve more encapsulation in TypeScript.
I have a class Item, with a public setter isOwned, but I only want to call this method in specific situations: if the item is picked ...
- 264
27
votes
6
answers
8k
views
Is it ok to have validation layer before access control layer
I am creating an API strcutured web application and in this application we have different layers which are doing their own job.
First layer is Validation layer which validate user input and if it ...
- 399
2
votes
1
answer
732
views
Thinking about roles and permissions
I am creating a brand new Housing application which lets user rate or favourite the houses. The following are users of the application:
Owner
Agent
Guest (not logged in)
Visitor (logged in)
Tenant
Now,...
- 2,186
4
votes
2
answers
149
views
Performance considerations with access control in a distributed system architecture
We're currently working on upgrading a small information system for an enterprise. Currently, the system has a corporate network zone (CORP) where services for internal users are placed, and a data ...
- 191
20
votes
1
answer
6k
views
What is a suggested roadmap towards implementation of a simple Attribute-based access control (ABAC)?
When reading about ACL and RBAC I seem to understand it easily - there are either usernames or roles that are given access to an asset. I can also see how I could implementing those.
i.e. this image ...
- 8,267
-1
votes
2
answers
199
views
Should I prepopulate resources and permissions in my system?
I am following the rbac model in my system.
I want to know if I should prepopulate the resources and permissions table?
I have resources like contracts, contract_drafts, SLA (service level agreement)...
- 489
31
votes
2
answers
48k
views
How to design role based access control?
I am trying to follow the role bases access control model to restrict what users can or cannot do in my system.
So far I have the following entities:
users - People who will use the system. Here I ...
- 489
1
vote
2
answers
352
views
Should an internal Software Documentation Wiki have private pages?
I'm working on the creation of a software and product documentation in a wiki format. It will include the documentation for all the company products.
After some research, we decided to use the ...
- 171
0
votes
2
answers
111
views
Implementing a publicly-editable tree where each node must hold private implementation data
I am trying to implement a tree data structure that callers of my code edit for me to operate on. The idea is that the caller can hold a reference to nodes from the tree and modify their data (both ...
- 103
3
votes
1
answer
190
views
How to structure path-colliding REST webservices with role-access
I have a bunch of REST webservices that my client uses. For instance, to create a user, I have
POST /users
and to modify it
POST /users/{id}
The problem is, some fields, as marketArea, are allowed ...
- 1,667
2
votes
1
answer
842
views
Centralize permission evaluation
I am looking for a viable design/architecture pattern for securing several web applications. Here is the situation:
Multiple web applications must enforce roles and permissions at Java service method ...
- 668
1
vote
1
answer
219
views
REST API and user rights
I am developing an application using Angular and REST API and I'm facing a problem concerning user access right.
The application runs this way:
A user signup
The same user creates his organization
He ...
- 395
1
vote
2
answers
1k
views
PHP MVC how to access current user?
What is the best way to tell if a user is already logged in when accessing the page? I have seen many people talk about a Recognition service that will validate a user trying to login, but what about ...
- 211