Literature on designing and implementing an access control system
-
I'm searching for good, general literature* on how to design and implement access control management. I'd like to build up the knowledge to design a system myself and/or make informed decisions about the architecture of one. My focus is authorization, not authentication. *literature = online,offline,free,paid; anything goes. Some concrete questions could be - "in which roughness should I store permissions?" - "in which format should I store my permissions?" - "should I use RBAC, UBAC, ACL,... and how would I concretely implement them, cleanly?" - "How do I combine all that with a system that contains several individual organizations with their own set of permissions?" Does anyone have recommendations? Even a "look in this corner of the internet would help". (I really cannot find anything useful about this topic. All search results contain the same hipster stuff) Just to make sure ... what I'm _not_ looking for: - A cook book. - Answers that just say "use this or that, because it's the standard" - Some "hip" book after which you nod, say "yes, aha, I see", but didn't really make you smarter.
-
I'm searching for good, general literature* on how to design and implement access control management. I'd like to build up the knowledge to design a system myself and/or make informed decisions about the architecture of one. My focus is authorization, not authentication. *literature = online,offline,free,paid; anything goes. Some concrete questions could be - "in which roughness should I store permissions?" - "in which format should I store my permissions?" - "should I use RBAC, UBAC, ACL,... and how would I concretely implement them, cleanly?" - "How do I combine all that with a system that contains several individual organizations with their own set of permissions?" Does anyone have recommendations? Even a "look in this corner of the internet would help". (I really cannot find anything useful about this topic. All search results contain the same hipster stuff) Just to make sure ... what I'm _not_ looking for: - A cook book. - Answers that just say "use this or that, because it's the standard" - Some "hip" book after which you nod, say "yes, aha, I see", but didn't really make you smarter.
-
I'm searching for good, general literature* on how to design and implement access control management. I'd like to build up the knowledge to design a system myself and/or make informed decisions about the architecture of one. My focus is authorization, not authentication. *literature = online,offline,free,paid; anything goes. Some concrete questions could be - "in which roughness should I store permissions?" - "in which format should I store my permissions?" - "should I use RBAC, UBAC, ACL,... and how would I concretely implement them, cleanly?" - "How do I combine all that with a system that contains several individual organizations with their own set of permissions?" Does anyone have recommendations? Even a "look in this corner of the internet would help". (I really cannot find anything useful about this topic. All search results contain the same hipster stuff) Just to make sure ... what I'm _not_ looking for: - A cook book. - Answers that just say "use this or that, because it's the standard" - Some "hip" book after which you nod, say "yes, aha, I see", but didn't really make you smarter.
D4rkTrick wrote:
"in which roughness should I store permissions?"
Having considered that many times what I came up with is that you cannot answer that question without business requirements. And probably some business domain knowledge yourself. Consider these cases... Who should have permission to edit a social security number at a company? Who should be able to view it? Contrast that with who should have permission to change the delivery address? Who should be able to view it? (Even more prickly can someone change a delivery address on an order that has already been delivered?) Should there be a admin (root admin) that can change everything? Are there assets that will be shared between companies? If so then who sets the permissions? (That was a very real business case that I had to deal with.) Answering questions like that is FAR more important than how you implement it in general. But it will certainly drive implementation details. I would be very wary of suggestions that you should 'plan for the future'. For instance in one of many parallel futures you might be asked to add a field on one form, so obviously the solution is that every single field on every form must have a permission from the beginning. And then the users (not developers) who will be actually setting that up will need to understand hundreds of permissions and implications (like what if the social security number is on two different forms?) I worked for a company with hundreds of permissions. No one knew what they all did. There was also disagreement about what they should do. So those tasked with changing them just had to experiment.
D4rkTrick wrote:
"should I use RBAC, UBAC, ACL,... and how would I concretely implement them, cleanly?"
I doubt 'cleanly' exists in any medium size application. And really unlikely when it gets bigger. So just pick one and look at it in detail. And then really study how to log changes that users make. All users. Log in this case means to a persistent data store. Adds and updates are easy. Deletes are much harder.
-
I'm searching for good, general literature* on how to design and implement access control management. I'd like to build up the knowledge to design a system myself and/or make informed decisions about the architecture of one. My focus is authorization, not authentication. *literature = online,offline,free,paid; anything goes. Some concrete questions could be - "in which roughness should I store permissions?" - "in which format should I store my permissions?" - "should I use RBAC, UBAC, ACL,... and how would I concretely implement them, cleanly?" - "How do I combine all that with a system that contains several individual organizations with their own set of permissions?" Does anyone have recommendations? Even a "look in this corner of the internet would help". (I really cannot find anything useful about this topic. All search results contain the same hipster stuff) Just to make sure ... what I'm _not_ looking for: - A cook book. - Answers that just say "use this or that, because it's the standard" - Some "hip" book after which you nod, say "yes, aha, I see", but didn't really make you smarter.
Can't tell if you want to secure a door or an app.
"Before entering on an understanding, I have meditated for a long time, and have foreseen what might happen. It is not genius which reveals to me suddenly, secretly, what I have to say or to do in a circumstance unexpected by other people; it is reflection, it is meditation." - Napoleon I
-
Lots of literature is available: access control management - Google Search[^]
Do you have any recommendations of the many? Also: Be aware that google is very different depending on the country you are searching from and the locale on your computer. You might get better results than linkedIn and companies trying to sell their products - which is what I get.
-
D4rkTrick wrote:
"in which roughness should I store permissions?"
Having considered that many times what I came up with is that you cannot answer that question without business requirements. And probably some business domain knowledge yourself. Consider these cases... Who should have permission to edit a social security number at a company? Who should be able to view it? Contrast that with who should have permission to change the delivery address? Who should be able to view it? (Even more prickly can someone change a delivery address on an order that has already been delivered?) Should there be a admin (root admin) that can change everything? Are there assets that will be shared between companies? If so then who sets the permissions? (That was a very real business case that I had to deal with.) Answering questions like that is FAR more important than how you implement it in general. But it will certainly drive implementation details. I would be very wary of suggestions that you should 'plan for the future'. For instance in one of many parallel futures you might be asked to add a field on one form, so obviously the solution is that every single field on every form must have a permission from the beginning. And then the users (not developers) who will be actually setting that up will need to understand hundreds of permissions and implications (like what if the social security number is on two different forms?) I worked for a company with hundreds of permissions. No one knew what they all did. There was also disagreement about what they should do. So those tasked with changing them just had to experiment.
D4rkTrick wrote:
"should I use RBAC, UBAC, ACL,... and how would I concretely implement them, cleanly?"
I doubt 'cleanly' exists in any medium size application. And really unlikely when it gets bigger. So just pick one and look at it in detail. And then really study how to log changes that users make. All users. Log in this case means to a persistent data store. Adds and updates are easy. Deletes are much harder.
I didn't mean to try to find the answers here on the board, sorry for the misunderstanding. The questions were merely examples. I'm aware that "clean" or "good" are adjectives that are strongly coupled to the use case. My main goal is to find good literature.
-
Can't tell if you want to secure a door or an app.
"Before entering on an understanding, I have meditated for a long time, and have foreseen what might happen. It is not genius which reveals to me suddenly, secretly, what I have to say or to do in a circumstance unexpected by other people; it is reflection, it is meditation." - Napoleon I
-
Do you have any recommendations of the many? Also: Be aware that google is very different depending on the country you are searching from and the locale on your computer. You might get better results than linkedIn and companies trying to sell their products - which is what I get.
-
[Cloud design patterns that support security - Microsoft Azure Well-Architected Framework | Microsoft Learn](https://learn.microsoft.com/en-us/azure/well-architected/security/design-patterns) (Gatekeeper)
"Before entering on an understanding, I have meditated for a long time, and have foreseen what might happen. It is not genius which reveals to me suddenly, secretly, what I have to say or to do in a circumstance unexpected by other people; it is reflection, it is meditation." - Napoleon I
-
[Cloud design patterns that support security - Microsoft Azure Well-Architected Framework | Microsoft Learn](https://learn.microsoft.com/en-us/azure/well-architected/security/design-patterns) (Gatekeeper)
"Before entering on an understanding, I have meditated for a long time, and have foreseen what might happen. It is not genius which reveals to me suddenly, secretly, what I have to say or to do in a circumstance unexpected by other people; it is reflection, it is meditation." - Napoleon I
-
Thank you. The information seems quite specific. Do you also have literature for a more abstract - close to mathematical - level?
It's a "Pattern"; like doors and windows. An abstraction of a "door" or a "window"? That would be a rectangle; with a hole. Math? Width and height.
"Before entering on an understanding, I have meditated for a long time, and have foreseen what might happen. It is not genius which reveals to me suddenly, secretly, what I have to say or to do in a circumstance unexpected by other people; it is reflection, it is meditation." - Napoleon I
-
I didn't mean to try to find the answers here on the board, sorry for the misunderstanding. The questions were merely examples. I'm aware that "clean" or "good" are adjectives that are strongly coupled to the use case. My main goal is to find good literature.
I understood that. I was merely pointing out that there is no general answer. Rather you need to start with the domain space rather than than trying to find one solution. If you don't have an actual domain space, or perhaps even if you do, then just pick one of the solutions and study it.
-
Do you have any recommendations of the many? Also: Be aware that google is very different depending on the country you are searching from and the locale on your computer. You might get better results than linkedIn and companies trying to sell their products - which is what I get.
-
Lots of literature is available: access control management - Google Search[^]
-
I'm searching for good, general literature* on how to design and implement access control management. I'd like to build up the knowledge to design a system myself and/or make informed decisions about the architecture of one. My focus is authorization, not authentication. *literature = online,offline,free,paid; anything goes. Some concrete questions could be - "in which roughness should I store permissions?" - "in which format should I store my permissions?" - "should I use RBAC, UBAC, ACL,... and how would I concretely implement them, cleanly?" - "How do I combine all that with a system that contains several individual organizations with their own set of permissions?" Does anyone have recommendations? Even a "look in this corner of the internet would help". (I really cannot find anything useful about this topic. All search results contain the same hipster stuff) Just to make sure ... what I'm _not_ looking for: - A cook book. - Answers that just say "use this or that, because it's the standard" - Some "hip" book after which you nod, say "yes, aha, I see", but didn't really make you smarter.
Here's the literature I was able to find through libera on IRC. Very helpful to me. Hopefully also helpful for other people reading this.. ## Online: - [Oso - Authorization Academy](https://www.osohq.com/academy) - Very helpful; Starts with the basics, then talks where to impl auth and why, and how. ## Books In regard of books I found that looking at the references can help. In combination with archive.org's free book library it's possible to skim over books quite quickly - I used *Security Engineering* (second edition on the page is freely available) as a reference guide to find other books - [*Basic Principles Of Information Protection (JEROME H. SALTZER)*](http://web.mit.edu/Saltzer/www/publications/protection/Basic.html) was an interesting resource. - Access Control, Authentication, and Public Key Infrastructure Jones & Bartlettt Learning Information Systems Security & Assurance Series - *Andrei Sabelfeld* was suggested to me (also as a reference guide). Couldn't check it out, yet. ## Specific topics ### Object Capability System:
Quote:
the object graph _is_ the permission graph, and so there are no separate access control checks that you have to make like shown in that slide. An object has authority to call methods on another object if and only if it actually has a reference to that other object.
Links: - [Habitat Chronicles: What Are Capabilities?](http://habitatchronicles.com/2017/05/what-are-capabilities/) - [http://erights.org/talks/thesis/markm-thesis.pdf\](http://erights.org/talks/thesis/markm-thesis.pdf) - [Bringing Object-orientation to Security Programming (Mark S. Miller, Google) - YouTube](https://www.youtube.com/watch?v=oBqeDYETXME) OT Here's some basic insight I've gained during looking at various sources. The basic question *you* want to get answered is `has_access(user, action, resource)`.
*Example:* `has_access(uid, read, user_list)`.
You might want to take it even more abstract and say `has_access(entity, action, resource)`, where `entity` could be a user, a group, an organization or anything else that is able to perform actions in your system. Perhaps even `has_access(resource, action, resource)` might be an appropriate abstraction. With a hierarchical permission struct