Authorization: Filtering data based on user authorization

3
votes

We need to implement authorization rules like below.

If user is a Super Admin, then give him all customers information. like order information. If user is a Customer Admin, only provide him own customer information. Etc.

We are planning to implement the filtration at DAO layer.

What could suggestion for creating a generic design to handle this scenario ? Assume that our application already has a DB model for RBAC(role based authorization control). We are open for any DAO technology, like JPA or iBATIS or native queries etc.

Highlevel acceptance criteria is Authorization policies should be configurable and can be changed at runtime. Example: If Customer admin can see self data, in future rule can be changed to allow them to see self and friends data.

We evaluated authorization policy like XACML, did not like to implement it because of its complexity. We are planning to write a home-grown solution. Any suggestion, please welcome.

1
authorizationaccess-controlxacmlrole-base-authorization

1 Answers

2
votes

You write in your answer that you looked at XACML and did not implement it. What you should do is take XACML off-the-shelf either a vendor or an open-source alternative. You will find plenty in either category such as WSO2 (open source) or Axiomatics (vendor).

XACML is the de-factor standard for fine-grained attribute-based access control (see NIST's page on the topic). It's 10 years old and it's got the likes of IBM, Microsoft, Oracle, Axiomatics, and Bank of America behind it. With all due respect I very much doubt a home-grown solution will do.

You are looking for filtering at the DAO layer. It looks like you could use the Data Access Filter. It is XACML-based and you do not need to implement anything specific (read: developer effort is very low).

I cannot force you to go one way or another but I would seriously consider going standards-based. Any other way may sound like a good idea in the short term but it will bite back seriously in the medium to long term.