Role Based Access Control is a method of access controls where principals get access to resources through membership of permitted roles.
Questions tagged [rbac]
54 questions
5
votes
2 answers
Microservices and RBAC using OIDC
I am currently working on migrating our users from an internal DB to an OIDC service (considering Cognito/Auth0/etc.), and I am trying to implement RBAC.
Our backend is basically a bunch of microservices, and I am trying to understand how we can…
![](../../users/profiles/105682.webp)
Tomer Amir
- 171
- 7
4
votes
5 answers
Can someone please explain RBAC to me?
From http://msdn.microsoft.com/en-us/library/jj709705.aspx
In contrast to the DAC model, which is oriented around objects, the AzMan RBAC model attempts to orient the common administrative experience around user roles. Rather than assigning…
![](../../users/profiles/51744.webp)
DanL4096
- 307
- 1
- 2
- 9
4
votes
4 answers
How can an Subject only read and write to its owned objects?
It appears that in RBAC, a Subject creates a Session with an Active Role(s), these Roles are then used to determine what permissions and actions can be taken. This appears to be fine for most of our organization until you reach Subjects with the…
![](../../users/profiles/2191.webp)
xenoterracide
- 322
- 1
- 2
- 11
4
votes
2 answers
How to design an Access Control system that is quick to implement and understand, yet maintainable and flexible enough?
We're currently redesigning our access control system for our SaaS startup (over the past two years it has grown alongside the business and decided to clean it up at this point). The access control system should serve customers with 500 - 10,000…
![](../../users/profiles/215424.webp)
Sarah
- 41
- 1
4
votes
1 answer
Handling User Permissions Between Front-end and Back-end
We are trying to come up with a permissions/security implementation on our MongoDB backend/Angular front-end environment that accomplishes what we need it to, without being over-bearing or too difficult to build-out/adjust in the future. And, to…
![](../../users/profiles/191128.webp)
Muirik
- 171
- 1
- 4
4
votes
2 answers
Rights vs permissions vs privileges
I have to write a node module for handling role-based access control. Users are stored in database, there are user groups, and there are system assets or functionality that users and groups can be given or denied access to.
I am considering the most…
![](../../users/profiles/141377.webp)
Passiday
- 155
- 1
- 4
3
votes
3 answers
RBAC: how to separately scope two resources that have a many-to-many relationship
I'm working on an application that needs access control. Basically, the problem I'm facing is this (heavily simplified):
The application has two main sections:
Files = File[]
Contacts = Contact[]
A File resource can have many contacts assigned to…
![](../../users/profiles/201883.webp)
idix
- 133
- 2
3
votes
0 answers
How can an organization manage permissions in a centralized way?
Almost all applications mantain the permissions with the application and have no way of having at least the roles outside the application.
Is the only way to have centralized authentication but mantain the authorization inside the application or…
![](../../users/profiles/180480.webp)
Forced Port
- 251
- 1
- 9
3
votes
2 answers
Separation of Duties using RBAC
I'm reading an article about Role based Access Control, in section 6 (Separation of Duties) I didn't understand this part :
Separation of duty can be either static or dynamic. Compliance with static separation
requirements can be determined…
![](../../users/profiles/80788.webp)
Bilal
- 133
- 1
- 6
3
votes
3 answers
Implement RBAC for my application
I'm beginning to work on a new web app for which I require implementing Role-Based Access Control.
I've identified three Roles for my application which will be Role 1, Role 2 and an Role 3. Each user will be in one of these groups or can be in…
![](../../users/profiles/113588.webp)
Yash Kapila
- 39
- 2
3
votes
1 answer
What are the security implications of having a dummy user account representing unauthenticated users?
In my web application, users are assigned to groups and groups are granted permissions on objects. The application exposes some objects to unauthenticated public users (i.e. people casually visiting the website).
I have thought about having an…
![](../../users/profiles/21805.webp)
jl6
- 625
- 4
- 9
2
votes
2 answers
RBAC and assertions, which authorization flow is better?
I'd like to ask which authorization flow is considered better or standard.
First approach (has role AND assertion is valid):
if (!isGranted(roles, permission) {
return false;
}
if (hasAssertion(permission)) {
return…
![](../../users/profiles/40240.webp)
stil
- 121
- 2
2
votes
2 answers
Is using EXECUTE AS impersonation for user authentication in a web application a good idea?
I wrote a web application that is using AD authentication (Windows) and has its own authorization module (RBAC-like). Back-end is Microsoft SQL Server.
A DBA on my team is not happy with us using a service account to talk to the database, he would…
![](../../users/profiles/245222.webp)
NotADba
- 21
- 1
2
votes
0 answers
Web app access control system design
I am having trouble finding a scalable way to create a access control system which both follows best practices and can scale well. I have looked at various approaches like RBAC and ABAC.
For the uses cases I am concerned with, RBAC does not seem to…
![](../../users/profiles/68888.webp)
Goblinlord
- 161
- 5
2
votes
1 answer
ABAC policy formulation and RBAC question
I am asked to answer a question that says:
One online book-store wants to grand access to clients regarding their subscription. There are 3 types of subscriptions A , B and C. Customers get access in the subscription type they chose. Also if a book…
![](../../users/profiles/97806.webp)
Jamesgr
- 23
- 2