Announcement Announcement Module
No announcement yet.
Rule based domain object access control Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Rule based domain object access control

    Hi, we are using most parts of acegi for securing our application (authentication, web request authorisation and method level authorisation)

    We are now looking at implementing domain object access control. We want to implement ACL security, but we seem to have extra requirements that are not covered by ACLs. ACLS basically seem to determine access to an object based on that objects id, however our requirements seem to imply we need a level of domain object security before we get to the object id. This is a type of 'rule based' security based on information in the object. For example a particular recipient (group or user) would have create / view / delete / update privileges on a an object based on a rule associated with the object type (eg i can create blue and green cars but only update blue ones and i can only delete cars of a particular 3 makes which have been inactive for 3 weeks or more, or i can only see tasks that are allocated to a particular department and have clearance level less than 4).

    Should I try to merge this 'rule based' security into the acl stuff as there are some common concepts (eg a permission mask, recipients etc) or should i define a new voter / collection filtering system for this type of security? The existing collection filtering system is tightly coupled to the acl implementation (so tightly that it has had to be rewritten with the new acl package). In fact the new system only passes the object id and not the domain object to the acl service so this implies i cant do the rule evaluation in the acl service. (the old acl manager took the entire domain object, so in this system a new acl provider could have been written to evaluate rules and return acls)

    Should the collection filtering be more abstracted from the acls so that it can filter based on more than the object id?

    Note - this rule based access control is in addition to acls which we will want to use as well for the most fine grained access control.

    Thanks for any help


  • #2
    good idea

    i am working on such a system integrated with spring. Do you have any additional use cases?