- html - 出于某种原因,IE8 对我的 Sass 文件中继承的 html5 CSS 不友好?
- JMeter 在响应断言中使用 span 标签的问题
- html - 在 :hover and :active? 上具有不同效果的 CSS 动画
- html - 相对于居中的 html 内容固定的 CSS 重复背景?
我正在研究各种类型的访问控制模型,并且发现abac和rbac是流行的模型。
我为我的一个项目提供了一个基本方案,但我不知道应该选择RBAC
还是ABAC
。显然RBAC
是ABAC
的子集,因此,我绝对应该去ABAC
,但是ABAC需要一些经验来在xacml中编写策略。我们正在使用WSO
IS和APIM。
我在身份服务器(IS)中具有管理员,所有者和成员角色。
HTTP
动词来实现期望的结果,即所有者无法访问
DELETE
请求,而成员无法访问
PUT
和
DELETE
。
nav-bar
,例如成员无权查看nav-bar
中的其他用户(添加,列表)。 nav-bar
项取决于用户角色,因此我们可以通过RBAC
对其进行管理? RBAC
来实现所有这些场景,但是为了管理
nav-bar
并查看相关的实现,我们需要在服务器中添加业务逻辑,而不是使用
WSO2-IS
和
WSO2-APIM
。有什么方法可以管理 View 权限,例如隐藏/显示按钮和部分,甚至使用相同的
API
,但对于不同的api消费者,它应该返回不同的结果。
最佳答案
首先,我对最近的回应表示歉意。这是我的内联评论。
ACL,RBAC,ABAC
I am studying about various types of access control models and came across to know that abac and rbac are the popular ones.
I've a basic scenario for one of my project and I couldn't understand should I go with RBACor ABAC. Obviously RBAC is subset of ABACso definitely I should go for ABAC but ABAC requires some experience to write polices in xacml. We are using WSO IS and APIM.
I have admin, owner and member roles in my identity server (IS).
- Admin can view, delete and update users.
- Owners can view and update.
- Members can view only.
At a moment I am using HTTP verbs to achieve desire results i.e. owners can not access DELETE requests and members can't access PUT & DELETE.
I have a dashboard where I am displaying different sections like top-users, billing, services, top-consumers etc.
I need to populate nav-bar based on user role and attributes from server e.g. members should not have access to see other users (Add, List) in nav-bar. nav-bar items dependents on user role so we can manage them via RBAC?
We've a plan to add roles like ops, marketing, support etc. Does this means we need to create a separate db-schema to maintain access rights for each role?
In dashboard I need to hide/show view, update and delete buttons in users, services etc. Now members can see users but have no permission to update or delete them. They cannot view stats, billing and other private information.
Owners can see all users related to their departments/organization but Admin can see all the users for all departments/organization. Here we need to consume the same API for all consumers but api should respond differently for different roles. Roles can be 10s and 100s so ee can not create different apis for each role. Question
We can implement all these scenarios via RBAC but for managing nav-bar and view related implementation we need to add business logic in our server instead of using WSO2-IS and WSO2-APIM. Is there any way to manage view permissions like hide/show buttons and sections and even consume same API but it should return different result for different api-consumers.
namespace haris {
/**
* User Records
*/
policyset users {
target clause axiomatics.objectType == "user record"
apply firstApplicable
/**
* View user record
*/
policy viewUser {
target clause axiomatics.actionId == "view" // This can be the HTTP verb
apply firstApplicable
/**
* Administrators can view all users
*/
rule administrator{
target clause axiomatics.user.role == "administrator"
permit
}
/**
* Owners can view users in their department
*/
rule owners{
target clause axiomatics.user.role == "owner"
permit
condition axiomatics.user.department == axiomatics.record.department
}
/**
* Members can view their own user record only
*/
rule member{
permit
condition axiomatics.user.username == axiomatics.record.owner
}
}
/**
* Update user
*/
policy updateUser {
target clause axiomatics.actionId == "update" // This can be the HTTP verb
apply firstApplicable
/**
* Administrator can update any user
*/
rule administrator{
target clause axiomatics.user.role == "administrator"
permit
}
/**
* Owner can update any user
*/
rule owner{
target clause axiomatics.user.role == "owner"
permit
// TODO: determine what an owner can update
}
}
/**
* Delete user
*/
policy deleteUser {
target clause axiomatics.actionId == "delete" // This can be the HTTP verb
apply firstApplicable
/**
* Administrator can delete any user
*/
rule administrator{
target clause axiomatics.user.role == "administrator"
permit
}
}
}
}
<?xml version="1.0" encoding="UTF-8"?><!--This file was generated by the
ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). --><!--Any modification to this file will
be lost upon recompilation of the source ALFA file -->
<xacml3:PolicySet
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable"
PolicySetId="http://axiomatics.com/alfa/identifier/haris.users"
Version="1.0"
xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml3:Description>User Records</xacml3:Description>
<xacml3:PolicySetDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
</xacml3:XPathVersion>
</xacml3:PolicySetDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">user record</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="axiomatics.objectType"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Policy
PolicyId="http://axiomatics.com/alfa/identifier/haris.users.viewUser"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<xacml3:Description>View user record</xacml3:Description>
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">view</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="axiomatics.actionId"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Rule Effect="Permit"
RuleId="haris.users.viewUser.administrator">
<xacml3:Description>Administrators can view all users
</xacml3:Description>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">administrator</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="axiomatics.user.role"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
</xacml3:Rule>
<xacml3:Rule Effect="Permit"
RuleId="haris.users.viewUser.owners">
<xacml3:Description>Owners can view users in their department
</xacml3:Description>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">owner</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="axiomatics.user.role"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Condition>
<xacml3:Apply
FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of-any">
<xacml3:Function
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal" />
<xacml3:AttributeDesignator
AttributeId="axiomatics.user.department"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
<xacml3:AttributeDesignator
AttributeId="axiomatics.record.department"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Apply>
</xacml3:Condition>
</xacml3:Rule>
<xacml3:Rule Effect="Permit"
RuleId="haris.users.viewUser.member">
<xacml3:Description>Members can view their own user record only
</xacml3:Description>
<xacml3:Target />
<xacml3:Condition>
<xacml3:Apply
FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of-any">
<xacml3:Function
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal" />
<xacml3:AttributeDesignator
AttributeId="axiomatics.user.username"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
<xacml3:AttributeDesignator
AttributeId="axiomatics.record.owner"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Apply>
</xacml3:Condition>
</xacml3:Rule>
</xacml3:Policy>
<xacml3:Policy
PolicyId="http://axiomatics.com/alfa/identifier/haris.users.updateUser"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<xacml3:Description>Update user</xacml3:Description>
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">update</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="axiomatics.actionId"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Rule Effect="Permit"
RuleId="haris.users.updateUser.administrator">
<xacml3:Description>Administrator can update any user
</xacml3:Description>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">administrator</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="axiomatics.user.role"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
</xacml3:Rule>
<xacml3:Rule Effect="Permit"
RuleId="haris.users.updateUser.owner">
<xacml3:Description>Owner can update any user</xacml3:Description>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">owner</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="axiomatics.user.role"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
</xacml3:Rule>
</xacml3:Policy>
<xacml3:Policy
PolicyId="http://axiomatics.com/alfa/identifier/haris.users.deleteUser"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<xacml3:Description>Delete user</xacml3:Description>
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">delete</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="axiomatics.actionId"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Rule Effect="Permit"
RuleId="haris.users.deleteUser.administrator">
<xacml3:Description>Administrator can delete any user
</xacml3:Description>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">administrator</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="axiomatics.user.role"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
</xacml3:Rule>
</xacml3:Policy>
</xacml3:PolicySet>
How will I return different data for a single api but for different roles/users.
/api/profiles/{profileID}
。您可以通过2种方式使用API:
Do I need to involve business logic in my server like getting nav-bar items, getting api-usage stats, full data access for admins and organization/department for owners and restricted data for members. How to perform these basic operations?
关于authorization - 通过XACML策略进行RBAC/ABAC,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/53883722/
我正在研究各种类型的访问控制模型,并且发现abac和rbac是流行的模型。 我为我的一个项目提供了一个基本方案,但我不知道应该选择RBAC还是ABAC。显然RBAC是ABAC的子集,因此,我绝对应该去
我想要实现的目标 使用以下策略保护 Keycloak 中的资源: if (resource.status == 'draft') $evaluation.grant(); else $evaluati
如果我需要使用 ABAC 模型访问数据库,我知道有一些可能性(例如,如果数据库是 Oracle,则可以使用 Oracle VPD)。尽管如此,我找到的所有解决方案都仅适用于关系数据库。是否可以使用 N
我有一个 SaaS 服务,多个用户可以在其中相互协作。到目前为止,同一订阅帐户下的用户可以共享同一个数据库并查看/编辑/删除彼此的所有内容。 现在我想实现一个权限系统,这样用户可能只能执行特定的操作,
我们正在构建一个基于云的应用程序,使用 C# 作为我们的主要语言并在 Microsoft Azure 上运行。该架构的关键部分之一是为应用程序中的业务逻辑实现细粒度的授权权限。 开放策略代理 我们正在
我们正在构建一个基于云的应用程序,使用 C# 作为我们的主要语言并在 Microsoft Azure 上运行。该架构的关键部分之一是为应用程序中的业务逻辑实现细粒度的授权权限。 开放策略代理 我们正在
我随便找了一个AT&T的框架来搭建ABAC。 此框架使用遵循 XML 格式的 XACML 来创建规则。但是这个框架只是为 Java 实现的。 但是,我正在使用 PHP 并使用 JSON 编写规则。 我
我正在使用 ABAC 模型来保护对项目中某些实体的访问。根据https://dzone.com/articles/simple-attribute-based-access-control-with-
人们如何使用 abac运行报告甚至只是从数据库中选择多个记录时的方法? 例如,如果您的政策规定: Doctors can only view patients in their hospital 显然
我想使用策略机或下一代访问控制(NGAC)来实现ABAC访问控制模型,它提供了一个通用且统一的框架来支持不同类型的基于属性的策略及其不同的组件(PEP、PDP、PAP) ,画中画)。我使用 JAVA
要求是创建具有少量角色的访问包,以便用户可以执行以下事件: 对给定 Blob 容器(“abc”Blob 容器)中存储的数据进行读写访问。 访问 Azure 数据工厂以构建管道、处理数据并将数据加载到暂
我正在尝试为我的 API 设置基于 keycloak 的 ABAC、基于属性的访问控制。我能够将其设置为创建一个基于 javascript 的策略,该策略查找特定的用户属性然后授予访问权限,例如 va
GKE 在哪里记录 RBAC 权限事件? 在带有 kubernetes v1.6 版本的 Google Container Engine (GKE) 集群上,默认启用 RBAC 授权。显然 ABAC
我如何在 nodejs 中实现 ABAC。我想使用他的位置和角色授予用户访问权限。 有人有演示吗? 我指的是 npm 包 PolicyLine:npm i policyline引用链接 - https
我正在尝试寻找任何可与 Spring Security 或 Apache Shiro 框架配合使用的基于属性的访问控制 (ABAC) 范例的开源或商业实现。现在我找不到他们中的任何一个。我不认为我是第
我是一名优秀的程序员,十分优秀!