Literature on designing and implementing an access control system

Here's the literature I was able to find through libera on IRC. Very helpful to me. Hopefully also helpful for other people reading this.. ## Online: - [Oso - Authorization Academy](https://www.osohq.com/academy) - Very helpful; Starts with the basics, then talks where to impl auth and why, and how. ## Books In regard of books I found that looking at the references can help. In combination with archive.org's free book library it's possible to skim over books quite quickly - I used *Security Engineering* (second edition on the page is freely available) as a reference guide to find other books - [*Basic Principles Of Information Protection (JEROME H. SALTZER)*](http://web.mit.edu/Saltzer/www/publications/protection/Basic.html) was an interesting resource. - Access Control, Authentication, and Public Key Infrastructure Jones & Bartlettt Learning Information Systems Security & Assurance Series - *Andrei Sabelfeld* was suggested to me (also as a reference guide). Couldn't check it out, yet. ## Specific topics ### Object Capability System:

Quote:

the object graph _is_ the permission graph, and so there are no separate access control checks that you have to make like shown in that slide. An object has authority to call methods on another object if and only if it actually has a reference to that other object.

Links: - [Habitat Chronicles: What Are Capabilities?](http://habitatchronicles.com/2017/05/what-are-capabilities/) - [http://erights.org/talks/thesis/markm-thesis.pdf\](http://erights.org/talks/thesis/markm-thesis.pdf) - [Bringing Object-orientation to Security Programming (Mark S. Miller, Google) - YouTube](https://www.youtube.com/watch?v=oBqeDYETXME) OT Here's some basic insight I've gained during looking at various sources. The basic question *you* want to get answered is `has_access(user, action, resource)`.
*Example:* `has_access(uid, read, user_list)`.
You might want to take it even more abstract and say `has_access(entity, action, resource)`, where `entity` could be a user, a group, an organization or anything else that is able to perform actions in your system. Perhaps even `has_access(resource, action, resource)` might be an appropriate abstraction. With a hierarchical permission struct

Thank you. The information seems quite specific. Do you also have literature for a more abstract - close to mathematical - level?

App :)

Do you have any recommendations of the many? Also: Be aware that google is very different depending on the country you are searching from and the locale on your computer. You might get better results than linkedIn and companies trying to sell their products - which is what I get.

I didn't mean to try to find the answers here on the board, sorry for the misunderstanding. The questions were merely examples. I'm aware that "clean" or "good" are adjectives that are strongly coupled to the use case. My main goal is to find good literature.

I'm searching for good, general literature* on how to design and implement access control management. I'd like to build up the knowledge to design a system myself and/or make informed decisions about the architecture of one. My focus is authorization, not authentication. *literature = online,offline,free,paid; anything goes. Some concrete questions could be - "in which roughness should I store permissions?" - "in which format should I store my permissions?" - "should I use RBAC, UBAC, ACL,... and how would I concretely implement them, cleanly?" - "How do I combine all that with a system that contains several individual organizations with their own set of permissions?" Does anyone have recommendations? Even a "look in this corner of the internet would help". (I really cannot find anything useful about this topic. All search results contain the same hipster stuff) Just to make sure ... what I'm _not_ looking for: - A cook book. - Answers that just say "use this or that, because it's the standard" - Some "hip" book after which you nod, say "yes, aha, I see", but didn't really make you smarter.

So funny that a couple of years later (now) people are using babel, webpack, typescript, which is essentially exactly what I was thinking at that time :)

Thank you for your opinion Nelek.

Hello, I'm currently working with GTK3 and write down everything I stumbled at. I try to do so in a half-way tutorial style. I couldn't find the answers to most of my problems here on codeproject and GTK3 seems to be poorly documented in general, so I thought it might be worth adding some here. Before I spend more time on arranging content, I'd like to have an opinion if it's actually worth it to spend another x hours on getting it ready for codeproject. - Link to html-view of root page - Link to html-view of 'how to create lists (Javascript is not working here, so there's no table of content) - Link to github repo Regards

Sorry! Thank you!

edit

Thank you. The thread creator was thinking of it in the subway, so I thought it *must be* related to the subway :D

To enhance my knowledge about systems and their abbreviations: could anyone tell me what CP is?

I'm not quite conviced about the multilanguage-export-support. I think this would be wasted energy as it might perhaps not be so bad, but also not good enough. BUT I'd really like to see and try such* an environment for any language. So feeding a java-project into such and editor and start writing Java in that style. Or any other language. *Of course, as others mentioned the graphics are a little ... improvable. So "such" referes to the graphical part Regards

Instead of writing to every single person, I get the idea of a general opinion regarding that. Therefore I might not put too much more effort in that project. @Gerry That was unexpected...and I was kind of laughing hard ... I'm probably easy minded :D Regards Darktrick

I like the idea of having boxes rather than flowing text. Although, this strongly reminds me of smalltalk and self - especially the "one-file-thing" and the "simply drag the already existing function". Or Perhaps I read too roughly? ^_^; regards

Hello, there is the saying "one picture describes more than thousand words". I also find myself in a situation, where an image inside the source code would describe the situation so much faster and easier, than text. Especially for non-technical domain code. Therefore, I think enabling images inside source code would be a really awesome, helpfull extension. But as a matter of fact, this feature does not exitst. Am I maybe missing something here? What's your opinion on that topic? regards

thank you :):thumbsup:

Thank you for the answer! yes, I was assuming a web page. But apparently the example was not appropriate and therefore missleading. Maybe we should just skip the example. So the "flyweight" in the "flyweight" pattern refers small objects, that all share some heavy ressource?

hi, I'm reading about the flyweight design pattern. In my understanding it's basically something like 'use shared pointers/references to big objects in order to safe memory'. Example: I'm writing a website, that contains 1MB pictures all over it. All the pictures are the same. Now, instead of transferring the picture x times, I. transfer it only once and let the website content always refer to that already transferred picture. Am I right about that? The often used example with the letters and glyph does really confuse me here, so I'd like to recheck. I can't understand, why it would be better to have a referred letter instead of a simple char inside a class... I really appreciate any help here!! regards