Introduction
In today’s digital landscape, effective access management is critical for securing resources and data. A Role-Based Access Control (RBAC) system provides a structured approach to managing user permissions and roles. This blog outlines two variations of RBAC systems tailored to different application needs: Common Business Applications and Enterprise Business Applications.
To illustrate the concepts, we’ll provide a demo code snippet for a service managing access control, as well as a detailed description of each table used in the RBAC system.
RBAC System Components
Common Business Applications
For most common business applications, the RBAC system can be streamlined to manage roles and permissions effectively without additional complexities. The key components are:
-
User Table
- Purpose: Stores user information such as username, password hash, email, and clearance level.
-
Key Columns:
user_id
,username
,password_hash
,email
,department
,clearance_level
-
Role Table
- Purpose: Defines roles within the application, detailing each role’s name and description.
-
Key Columns:
role_id
,role_name
,description
-
Module Table
- Purpose: Lists application modules or resources, describing their purpose and functionality.
-
Key Columns:
module_id
,module_name
,description
-
Module_Permission Table
- Purpose: Specifies permissions associated with each module, such as read or write access.
-
Key Columns:
module_permission_id
,module_id
,permission_type
-
Role_Permission Table
- Purpose: Maps roles to module permissions, determining what actions roles can perform on modules.
-
Key Columns:
role_permission_id
,role_id
,module_permission_id
-
User_Role Table
- Purpose: Manages the relationship between users and roles, enabling role-based access control.
-
Key Columns:
user_role_id
,user_id
,role_id
Enterprise Business Applications
Enterprise business applications may require additional components to handle more complex access control needs. These include:
-
Policy Table
- Purpose: Defines additional access rules and conditions, providing more granular control.
-
Key Columns:
policy_id
,policy_name
,description
-
Role_Policy Table
- Purpose: Links roles to policies, allowing roles to be governed by specific rules and conditions.
-
Key Columns:
role_policy_id
,role_id
,policy_id
-
User_Policy Table
- Purpose: Assigns policies directly to users, accommodating individual permissions.
-
Key Columns:
user_policy_id
,user_id
,policy_id
-
Policy_Condition Table
- Purpose: Specifies conditions for policies, such as contextual or attribute-based constraints.
-
Key Columns:
policy_condition_id
,policy_id
,condition_type
,condition_value
-
Contextual_Permission Table
- Purpose: Applies policies based on specific contexts, like user department or location.
-
Key Columns:
contextual_permission_id
,policy_id
,context_type
,context_value
-
Temporal_Constraint Table
- Purpose: Manages time-based access, defining start and end times for policy effectiveness.
-
Key Columns:
temporal_constraint_id
,policy_id
,start_time
,end_time
-
Delegation Table
- Purpose: Facilitates temporary role assignments, allowing users to delegate roles with specified expiration dates.
-
Key Columns:
delegation_id
,delegate_user_id
,delegator_user_id
,role_id
,delegated_at
,expiration_date
-
Audit_Log Table
- Purpose: Records user actions, module interactions, and role changes for security and compliance auditing.
-
Key Columns:
audit_log_id
,user_id
,action
,module_id
,role_id
,timestamp
,details
Demo Code: Access Control Service
Here’s a sample implementation of an AccessControlService
in Java, demonstrating how to manage access control in a dynamic RBAC system. This example covers the essential components and illustrates how to handle permissions and policies.
import java.time.LocalDateTime;
import java.util.List;
@Service
@Transactional
public class AccessControlService {
@Autowired
private UserRepository userRepository;
@Autowired
private RoleRepository roleRepository;
@Autowired
private ModulePermissionRepository modulePermissionRepository;
@Autowired
private RolePermissionRepository rolePermissionRepository;
@Autowired
private UserRoleRepository userRoleRepository;
@Autowired
private PolicyRepository policyRepository;
@Autowired
private UserPolicyRepository userPolicyRepository;
@Autowired
private RolePolicyRepository rolePolicyRepository;
@Autowired
private PolicyConditionRepository policyConditionRepository;
@Autowired
private ContextualPermissionRepository contextualPermissionRepository;
@Autowired
private TemporalConstraintRepository temporalConstraintRepository;
@Autowired
private DelegationRepository delegationRepository;
public boolean hasAccess(String username, Long moduleId, String permissionType) {
// Fetch user
User user = userRepository.findByUsername(username);
if (user == null) {
return false;
}
// Check if user has any delegations
boolean hasDelegatedAccess = checkDelegatedAccess(user.getUserId(), moduleId, permissionType);
if (hasDelegatedAccess) {
return true;
}
// Check if user has direct access via roles
List<UserRole> userRoles = userRoleRepository.findByUserId(user.getUserId());
for (UserRole userRole : userRoles) {
List<RolePermission> rolePermissions = rolePermissionRepository.findByRoleId(userRole.getRoleId());
for (RolePermission rolePermission : rolePermissions) {
ModulePermission modulePermission = modulePermissionRepository.findById(rolePermission.getModulePermissionId()).orElse(null);
if (modulePermission != null && modulePermission.getModuleId().equals(moduleId) && modulePermission.getPermissionType().equals(permissionType)) {
// Check if role has any associated policies
if (hasPolicyAccess(user.getUserId(), moduleId, permissionType, modulePermission.getModuleId())) {
return true;
}
}
}
}
return false;
}
private boolean checkDelegatedAccess(Long userId, Long moduleId, String permissionType) {
List<Delegation> delegations = delegationRepository.findByDelegateUserId(userId);
LocalDateTime now = LocalDateTime.now();
for (Delegation delegation : delegations) {
// Check if delegation is expired
if (delegation.getExpirationDate() != null && delegation.getExpirationDate().isBefore(now)) {
continue;
}
List<RolePermission> rolePermissions = rolePermissionRepository.findByRoleId(delegation.getRoleId());
for (RolePermission rolePermission : rolePermissions) {
ModulePermission modulePermission = modulePermissionRepository.findById(rolePermission.getModulePermissionId()).orElse(null);
if (modulePermission != null && modulePermission.getModuleId().equals(moduleId) && modulePermission.getPermissionType().equals(permissionType)) {
return true;
}
}
}
return false;
}
private boolean hasPolicyAccess(Long userId, Long moduleId, String permissionType, Long modulePermissionId) {
// Check policies assigned directly to the user
List<UserPolicy> userPolicies = userPolicyRepository.findByUserId(userId);
for (UserPolicy userPolicy : userPolicies) {
if (isPolicyValid(userPolicy.getPolicyId(), moduleId, permissionType)) {
return true;
}
}
// Check policies assigned to roles
List<UserRole> userRoles = userRoleRepository.findByUserId(userId);
for (UserRole userRole : userRoles) {
List<RolePolicy> rolePolicies = rolePolicyRepository.findByRoleId(userRole.getRoleId());
for (RolePolicy rolePolicy : rolePolicies) {
if (isPolicyValid(rolePolicy.getPolicyId(), moduleId, permissionType)) {
return true;
}
}
}
return false;
}
private boolean isPolicyValid(Long policyId, Long moduleId, String permissionType) {
// Check policy conditions
List<PolicyCondition> conditions = policyConditionRepository.findByPolicyId(policyId);
for (PolicyCondition condition : conditions) {
// Add logic to evaluate conditions based on conditionType and conditionValue
// e.g., Check if context or attribute matches the condition
}
// Check contextual permissions
List<ContextualPermission> contextualPermissions = contextualPermissionRepository.findByPolicyId(policyId);
for (ContextualPermission contextualPermission : contextualPermissions) {
// Add logic to evaluate contextual permissions
// e.g., Check if current context matches the contextualPermission
}
// Check temporal constraints
List<TemporalConstraint> temporalConstraints = temporalConstraintRepository.findByPolicyId(policyId);
for (TemporalConstraint temporalConstraint : temporalConstraints) {
LocalDateTime now = LocalDateTime.now();
if (now.isBefore(temporalConstraint.getStartTime()) || now.isAfter(temporalConstraint.getEndTime())) {
return false;
}
}
return true;
}
}
Conclusion
By differentiating between common business applications and enterprise business applications, you can tailor your RBAC system
Source link
lol