Best IT Recipes

Role Based Access Control (RBAC) and Requirement Based Access Control (CBAC) in ASP.NET MVC

What are the main benefits of using CBAC versus RBAC ? When is it better to use CBAC and when is it better to use RBAC?

I am trying to understand the general concepts of the CBAC model, but the general idea is still not clear to me.

+118
access-control asp.net-mvc claims-based-identity
Apr 2 '14 at 2:05
source share
10 answers

I will try to show how you can use claim-based access control in the context of ASP.NET MVC.

When you use role-based authentication, if you have an action to create a client, and you want people who are in the "Sales" role to be able to do this, then you write this code:

[Authorize(Roles="Sale")] public ActionResult CreateCustomer() { return View(); }

Later, you realized that sometimes people from the role of "Marketing" should be able to create a Client. Then you update your action method in this way

 [Authorize(Roles = "Sale", "Marketing")] public ActionResult CreateCustomer() { return View(); }

Now you understand that some of the marketing people cannot create a Client, but you cannot assign a different role to those people who are in Marketing. Thus, you are forced to allow all advertisers to create Clients.

You noticed one more problem: at any time, when you decide that advertisers should be allowed to create customers, you need to update all your MVC Action methods. Define an attribute, compile your application, test and deploy. A few days later, you decided not to sell, but some other role should be allowed to complete this task, so you search in your code base and remove all the Marketing attributes from authorization and add your new role name in the Authorize attribute. Not a healthy decision. At this point, you will understand the need for permission-based access control.

Permission-based access control is a way of assigning different permissions to different users and checking if the user has permission to execute an action from the code at runtime. After you assign different permissions for different users, you understand that you need to allow some users to execute some code if the user has some property, for example, “Facebook user”, “Long time”, etc. . Let me give you an example. Suppose you want to allow access to a specific page if the user has logged in using Facebook. Now would you create Facebook permission for this user? No, Facebook does not sound like permission. Does it have? Rather, it sounds like a requirement. At the same time, permissions may sound like a complaint too !! Thus, it is better to check the requirements and allow access.

Now back to the specific requirements-based access control example.

You can define some set of requirements, for example:

"CanCreateCustomer", "CanDeleteCustomer", "CanEditCustomer", etc.

Now you can decorate your Action Method as follows:

  [ClaimAuthorize(Permission="CanCreateCustomer")] public ActionResult CreateCustomer() { return View(); }

(note that [ClaimAuthorize (Permission = "CanCreateCustomer")] cannot be embedded in the MVC class library, I just show as an example, you can use some class library that has such an attribute class definition)

Now you can see that the CreateCustomer action method will always have the CanCreateCustomer permission, and it will never change or is unlikely to change. Thus, in your database, you create a table of permissions (requirements) and the relation of user rights. From the admin panel, you can set the permission (requirement) for each user who can do something. You can assign "CanCreateCustomer" permission (requirement) to anyone, anyone, and only an authorized user can create a client, and an authorized user can only create a client and nothing else (unless you assign other permissions to the same user).

This security model offers you a clean code practice. Moreover, when you write your Action Method, you do not need to think about who can use this method, but you can always be sure that whoever uses this method will receive the correct permission (requirement) provided by the administrator. Then the administrator can decide who can do something. Not you as a developer. This is how your business logic is separated from security logic.

Whenever someone signs up, your application checks what permissions are available for this user and that the set of permissions (claims) will be available as additional properties of the current user in the system (usually the set of requirements is saved as a cookie for the user to log into the system ), so you do not need to constantly check the permission set from the database. The bottom line is that you get more control over your security logic in your application if you apply access based on requirements, rather than role-based access. In fact, the role can also be seen as a claim.

If your application is a very small application, in which there will be only two roles: Client and Administrator, and there is no chance that the Client will be able to do anything else, except that they are intended for your application, then perhaps Access Control on role-based will serve the purpose, but as your application grows, at some point you will begin to feel the need for claims-based access control.

+213
Apr 02 '14 at 18:23
source share

I do not quite agree with Emran's answer

 [Authorize(Roles="Sale")]

Is naive

The question is how

  [Authorize(Roles="CustomerCreator")]

differs from

  [ClaimAuthorize(Permission="CanCreateCustomer")]

If both are equally good, why should we demand?

I think because

The concept of claims is more general than the role

In the example above, we can say that "CustomerCreator" is a "role" type requirement provided by "Asp.NETroleProvider"

Additional sample statements.

  • "AAA" is a requirement of the type "MYExamSite.Score" provided by "MYExamSite.com"

  • Gold is a requirement of type MYGYM.Membershiptype provided by MYGYMApp

+42
Apr 10 '15 at 9:37
source share

The accepted answer, apparently, positions the roles as a dumb object, and claims as a flexible tool, but otherwise makes them almost identical. Unfortunately, such positioning provides a poor service to the concept of requirements and can mainly reflect a slight misunderstanding of their purpose.

Roles exist and make sense only in an implicit volume. This is usually applied or organizational (i.e. Role = Administrator). Applications, on the other hand, can be made by anyone. For example, Google authentication can make claims, including the user's "email", thus attaching this email to the person. Google makes complaints, the application chooses whether to understand and accept this requirement. The application itself can subsequently attach a statement called the “authentication method” (as ASP.NET MVC Core Identity does) with the value “Google”. Each claim includes a scope so that it can be determined whether the claim is significant externally, locally, or both (or in more detail as necessary).

The key point is that all statements are explicitly tied to identity and include explicit scope. Of course, these statements can be used for authorization, and ASP.NET MVC provides their support using the Authorize attribute, but this is not the only or not necessarily the main purpose of the statements. This, of course, does not distinguish it from roles that can be used in the same way for local authorization.

Thus, you can use Roles, or Applications, or both for authorization purposes, and probably cannot find their inherent advantages or disadvantages, provided that these Roles and Applications are locally limited. But if, for example, authorization depends on external identification requirements, then the roles will be inadequate. You will have to accept an external application and transfer it to a role with a local scope. There is nothing wrong with that, but it introduces a layer of indirection and discards the context.

+34
Aug 23 '16 at 18:40
source share

I have implemented security models many times, and I also had to consider these concepts. Having done this many times, here is my understanding of these concepts.

What are the roles

Role = Union of users and rights.

On the one hand, a role is a set of permissions. I like to call it permission. When defining a role, you basically add a set of permissions to this group, so in this sense, a role is a permission profile.

The Role, on the other hand, is also a collection of users. If I add Bob and Alice to the Managers role, the Managers now contain a collection of two users, like a group.

The truth is that a role is both a collection of users and a collection of permissions combined. Visually, this can be seen as a Venn diagram.

What is a group?

Group = User Collection

A "group" is strictly a group of users. The difference between a group and a role is that the role also has a collection of permissions, and the group only has a collection of users.

What is permission?

Resolution = What subject can do

What is a permission set?

Permission set = permission set

In a robust RBAC system, permissions can also be grouped as users. While groups are a set of users only, a permission set is a set of permissions only. This allows the administrator to simultaneously add entire permission collections to roles.

How users, groups, roles, and permissions come together

In a robust RBAC system, users can be added to a role individually to create a collection of users in a role, and groups can be added to a role to simultaneously add a collection of users to a role. In any case, the Role gets its user collection from individually adding or adding groups to the role or by adding a combination of users and groups to the role. Permissions can be considered in the same way.

Permissions can be added to roles individually to create a collection of permissions within a role or permission sets can be added to a role. Finally, a combination of roles and permission sets can be added to the role. In any case, the Role gets its collection of permissions from adding individually or by adding sets of permissions to the role.

The whole purpose of the roles is to marry users with permissions. Therefore, the role is the UNION of users and permissions.

What claims

Claim = What is a "subject"

Claims are not permissions. As stated in previous answers, Claim is that the subject “is” and not what the subject “can” do.

Claims do not replace roles or permissions; they represent additional information that can be used to make an authorization decision.

When to use a claim

I believe that statements are useful when you need to make an authorization decision, when a user cannot be added to a role, or the decision is not based on the user's association with the permission. An example of a Facebook user calls this. A Facebook user cannot be someone added to the Role ... he is just some kind of visitor authenticated via Facebook. Although this does not fit into the RBAC, it is part of the information by which an authorization decision must be made.

@CodingSoft used the nightclub metaphor in the previous answer, which I would like to expand. In this answer, the driver’s license was used as an example, which contained a set of claims in which the date of birth is one of the claims and the value of the DateOfBirth requirement is used to check for compliance with the authorization rule. The government that issued the driver’s license is the authority that authenticates the claim. Thus, in a nightclub scenario, the bouncer at the door looks at a person who has a driver’s license, ensures that it was issued by a trusted authority, checking if it is a fake ID (i.e. Must be a valid ID issued by the government), then looks on the date of birth (one of many claims for a driver’s license), and then uses this value to determine if an adult is enough to enter the club. If so, the person passes the authorization rule by virtue of a valid claim, and not in any role.

Now, bearing in mind this base, I would like to expand it. Suppose that in the building where the nightclub is located, there are offices, rooms, a kitchen, other floors, elevators, a basement, etc., Where only club staff can enter. In addition, some employees may have access to certain places, while others may not. For example, a manager may have access to the office floor above, which other employees cannot access. In this case, there are two roles. Manager and employee.

While visitors' access to the public nightclub area is allowed with one complaint, as explained above, employees need to use roles to access other non-public rooms with limited access. Driving license is not enough for them. They need an employee badge, which they scan to enter the door. Somewhere there is an RBAC system that provides badges in the role of manager with access to the upper floor, and badges in the role of employee - access to other rooms.

If for any reason a specific room needs to be added / deleted using a role, this can be done using RBAC, but this is not suitable for the application.

Software Permissions

Encoding roles in an application is a bad idea. This hardcodes the purpose of the role in the application. An application should only have permissions that act as functional flags. When function flags become accessible through configuration, permissions become available due to the user's security context, which is defined by the collection of DISTINCT permissions collected for all roles the user was placed into. This is what I call effective permissions. The application should only present a menu of possible permissions for functions / actions. The RBAC system must do the work of combining these permissions with users through roles. Thus, there is no hard coding of roles, and the only time a permission is changed, when it is deleted or a new one is added. Once a resolution has been added to the software, it should never be changed. It should be deleted only if necessary (i.e. when the function is terminated in the new version), and only new ones can be added.

Last comment

Grant vs Denis

A reliable RBAC system and even a CBAC system must distinguish between grants and failures.

Adding permission to a role must be accompanied by either GRANT or DENY. When permissions are checked, all permissions granted must be added to the list of users of valid permissions. Then, after all this is done, the list of CONCLUDED permissions should force the system to remove these permissions from the list of valid permissions.

This allows administrators to "tune" the subject's final permissions. It is best if permissions can also be added directly to users. Thus, you can add the user to the role of manager, and he will have access to everything, but you might want to DAY to get access to the women's restroom, because the user is a man. Thus, you add the male user to the manager role and add permission for the user object using DENY, so that he would deny access only to this lady room.

In fact, it would be a good candidate for a claim. If the user has a claim "gender = man", then the presence in the role of manager gives access to all rooms, but in the Lady’s toilet the claim is also gender = woman, and in the men's room claims are gender = man. Thus, it would not be necessary to configure the DENY permission for male users, since the enforcement of claims takes care of this for all with one authorization rule. However, this can be done anyway.

The fact is that using DENIAL of Permissions simplifies role management, since exceptions can be implemented.

Below is a diagram I made a long time ago that shows an RBAC model. I don’t have a schedule for claims, but you can imagine that these are just attributes attached to users, wherever they are. In addition, the chart does not show groups (I need to update it at some point).

Hope this helps.

This is a schematic of the RBAC described above.

+12
Oct 24 '18 at 23:06
source share

In a broader sense, attribute-based access control (ABAC) should be considered. RBAC and ABAC are concepts defined by NIST, the National Institute of Standards and Technology. CBAC, on the other hand, is a model promoted by Microsoft that is very similar to ABAC.

Find out more here:

+7
Apr 14 '14 at 14:22
source share

The basis between RBAC and CBAC is that:

RBAC : The user needs to be assigned a role that will be allowed to complete the action.

CBAC : , , , . .

, (STK ), (-)

+5
26 . '16 8:15
source share

- . , , ,

+4
13 . '16 12:45
source share

, , , . Microsoft : " - , . , , . . DateOfBirth, , , 8 1970 ., , . , , , . , , : 6 " ( ). ) .

, , , , , , , .

https://docs.microsoft.com/en-us/aspnet/core/security/authorization/roles 14.10.2016 , . , , . , . IsInRole ClaimsPrincipal.

https://docs.microsoft.com/en-us/aspnet/core/security/authorization/claims 10/14/2016 , , - -, , , . , , . . DateOfBirth, , , 8 1970 ., , . , , . , , :

(, ), .

.

+4
31 . '17 13:03
source share

.

, -, , , . CreateCustomer, EditCustomer, DeleteCustomer. .

, . - (, Sales, Marketing) - . Ie, - () .

- .

, , .

+2
06 . '17 22:16
source share

, . , , ,

  1. AspNetUsers: , , , , .....
  2. AspNetRoles; , GM, CTO, HRM, ADMIN, EMP. .
  3. AspNetUserRoles: AspNetUsers AspNetRoles .
  4. AspNetUserClaims: AspNetUsers . , / .

/ .

" " (PM),

  1. AspNetUserRoles , "PM" . , "".

  2. AspNetUserRoles , "PM" , AspNetUserClaims TYPE " " "<1000" . , "PM", " ".

  3. AspNetUserClaims TYPE " " "<1000". , , " " .

, , . -. , , . , .

+1
03 . '18 12:04
source share


More articles:


All Articles