IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [rbac]

Role Based Access Control is a method of access controls where principals get access to resources through membership of permitted roles.

54 questions
5
votes
2 answers

Microservices and RBAC using OIDC

I am currently working on migrating our users from an internal DB to an OIDC service (considering Cognito/Auth0/etc.), and I am trying to implement RBAC. Our backend is basically a bunch of microservices, and I am trying to understand how we can…
Tomer Amir
  • 171
  • 7
4
votes
5 answers

Can someone please explain RBAC to me?

From http://msdn.microsoft.com/en-us/library/jj709705.aspx In contrast to the DAC model, which is oriented around objects, the AzMan RBAC model attempts to orient the common administrative experience around user roles. Rather than assigning…
DanL4096
  • 307
  • 1
  • 2
  • 9
4
votes
4 answers

How can an Subject only read and write to its owned objects?

It appears that in RBAC, a Subject creates a Session with an Active Role(s), these Roles are then used to determine what permissions and actions can be taken. This appears to be fine for most of our organization until you reach Subjects with the…
xenoterracide
  • 322
  • 1
  • 2
  • 11
4
votes
2 answers

How to design an Access Control system that is quick to implement and understand, yet maintainable and flexible enough?

We're currently redesigning our access control system for our SaaS startup (over the past two years it has grown alongside the business and decided to clean it up at this point). The access control system should serve customers with 500 - 10,000…
Sarah
  • 41
  • 1
4
votes
1 answer

Handling User Permissions Between Front-end and Back-end

We are trying to come up with a permissions/security implementation on our MongoDB backend/Angular front-end environment that accomplishes what we need it to, without being over-bearing or too difficult to build-out/adjust in the future. And, to…
Muirik
  • 171
  • 1
  • 4
4
votes
2 answers

Rights vs permissions vs privileges

I have to write a node module for handling role-based access control. Users are stored in database, there are user groups, and there are system assets or functionality that users and groups can be given or denied access to. I am considering the most…
Passiday
  • 155
  • 1
  • 4
3
votes
3 answers

RBAC: how to separately scope two resources that have a many-to-many relationship

I'm working on an application that needs access control. Basically, the problem I'm facing is this (heavily simplified): The application has two main sections: Files = File[] Contacts = Contact[] A File resource can have many contacts assigned to…
idix
  • 133
  • 2
3
votes
0 answers

How can an organization manage permissions in a centralized way?

Almost all applications mantain the permissions with the application and have no way of having at least the roles outside the application. Is the only way to have centralized authentication but mantain the authorization inside the application or…
Forced Port
  • 251
  • 1
  • 9
3
votes
2 answers

Separation of Duties using RBAC

I'm reading an article about Role based Access Control, in section 6 (Separation of Duties) I didn't understand this part : Separation of duty can be either static or dynamic. Compliance with static separation requirements can be determined…
Bilal
  • 133
  • 1
  • 6
3
votes
3 answers

Implement RBAC for my application

I'm beginning to work on a new web app for which I require implementing Role-Based Access Control. I've identified three Roles for my application which will be Role 1, Role 2 and an Role 3. Each user will be in one of these groups or can be in…
Yash Kapila
  • 39
  • 2
3
votes
1 answer

What are the security implications of having a dummy user account representing unauthenticated users?

In my web application, users are assigned to groups and groups are granted permissions on objects. The application exposes some objects to unauthenticated public users (i.e. people casually visiting the website). I have thought about having an…
jl6
  • 625
  • 4
  • 9
2
votes
2 answers

RBAC and assertions, which authorization flow is better?

I'd like to ask which authorization flow is considered better or standard. First approach (has role AND assertion is valid): if (!isGranted(roles, permission) { return false; } if (hasAssertion(permission)) { return…
stil
  • 121
  • 2
2
votes
2 answers

Is using EXECUTE AS impersonation for user authentication in a web application a good idea?

I wrote a web application that is using AD authentication (Windows) and has its own authorization module (RBAC-like). Back-end is Microsoft SQL Server. A DBA on my team is not happy with us using a service account to talk to the database, he would…
NotADba
  • 21
  • 1
2
votes
0 answers

Web app access control system design

I am having trouble finding a scalable way to create a access control system which both follows best practices and can scale well. I have looked at various approaches like RBAC and ABAC. For the uses cases I am concerned with, RBAC does not seem to…
Goblinlord
  • 161
  • 5
2
votes
1 answer

ABAC policy formulation and RBAC question

I am asked to answer a question that says: One online book-store wants to grand access to clients regarding their subscription. There are 3 types of subscriptions A , B and C. Customers get access in the subscription type they chose. Also if a book…
Jamesgr
  • 23
  • 2
1
2
3 4