What are best practices for implementing ACL

Question

I have a website that has certain menu items that need to be hidden from end users.

The web site has PHP in the front-end and Java and Spring in the back-end, deployed on a Linux OS in a VM infrastructure, although the full technology stack isn't fully understood as it's a legacy system and not fully documented.

I need to secure the site and functions based on access controls - users mapped to groups and groups having access to different menu items (functions). I also have to provide an interface for admins to change the functions-to-group mapping. I also require fine control over the level of different read/write method access.

I understand I need ACL. What is best practice design for such a requirement?

Options and questions:

• DB - negative issues would be: old style and creating my own identity management function with all its drawbacks and complexities.
• LDAP - negative issues: again my own identity management system, but probably simpler than DB, but I'm not sure how function level mapping to groups works. Do LDAP providers provide mapping of groups to particular functions (i.e. given a menu item "accounts" - I only want Finance to be able to see accounts menu)
• OpenAM and similar solutions externalizing Identity Management – can that work? I've been reading about this – authentication I understand but authorization to fine grain level I don’t. It seems like you need an LDAP product configured as a data source, so what does OpenAM provide over option 2 above because it would be the same? With OpenAM it looks like I configure an identity service but I get to secure at container level – so webserver and app server but it gives its own login page. I assume it's possible to configure that to access stylesheets so that it integrates with the current login page – but has anyone done that on any of these type of products to be sure it's possible? Also, does this my ACL requirements? Is this the best design and how much more complicated is it to setup compared to LDAP and app configurations?

Further questions:

• Is the LDAP solution best advised?
• Do you have any suggestions on open source products for Apache LDAP? Are any good/easily managed? Any interfaces possible for manipulation of functions to groups? - Does LDAP allow mapping to a fine grain level of functions/ methods to groups or is that something that is done in application? This part in particular is confusing. If anyone can offer a good resource on this, that would be good.

Answer 1

You need externalized authorization e.g. claims-based authorization (Microsoft-specific) or more broadly attribute-based access control (ABAC).

ABAC was recently defined by NIST and you can download their report here.

In your questions you point to LDAP and groups. You then explain you need to associate functions to groups / roles. LDAP, roles, and groups represent your attributes. They could also come from other sources (e.g. a database). What you're missing is the authorization logic: the mapping between groups and functions.

In ABAC, that logic is expressed as authorization policies. OASIS has a standard for that called XACML, the eXtensible Access Control Markup Language. In XACML, you'll use attributes to define which access is to be allowed or denied.

For instance:

A user with the role manager and in the group finance can view the finance menu.

You can read more on XACML here and here.

Answer 2

I wouldn't categorise this under Identity Management; this is an access management question. Externalising your access management solution is advisable, definitely, and I'm not aware of any solution which doesn't use the LDAP as a store.

Fine grained access control defines access to elements displayed within the same page or URL for e.g. a URL with query string parameters can be 'access-managed' with a product which supports fine grained access control, unlike coarse grained access control solutions which only support this to the page level i.e. a html, jsp, php page, ignoring the query string parameters or other buttons, links within the page.

One solution is (assuming the access management solution doesn't provide fine grained access control - many don't) is to combine the access management product and your custom code to implement fine grained access control. Define custom groups/attributes in the access management product. These custom definitions must have traverse, read, write accesses defined as in TRW for e.g. So for e.g. some buttons/links are displayed only for admins on the same http URL. Also define the same values in your custom database (if necessary) to map them to user's permissions/type AND their custom groups.

When users login to your website, pass the user's access rights as http headers to the website. Read these headers, parse these values, and then based on the user type and permissions, display the buttons/links for a user. For e.g. if a header contains R as a attribute and if the user type is not a admin then do not display the buttons that meet the R criteria but not the manager criteria - this can be looked up in your database.

The solution above is irrelevant if you manage to obtain a access management solution which supports fine grained access control but if costs are an issue, the above solution ought to be simple to implement.