Announcement Announcement Module
Collapse
No announcement yet.
Instance based security Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Instance based security

    Hi,
    I am new to Acegi Security Framework, and I have got basic
    authentication and role based security working. However, I have a
    few questions about instance based security. I have a system that
    stores information about employees. I need to establish instance
    based security so that
    - an employee can edit/view his own information
    - group manager can also edit/view all employees in his dept.,
    but not if the employees don't belong to his group.
    - employees in the same group can view information of other
    employees but they cannot edit.

    - delegation: the manager may go on vacation for two weeks and
    transfer his access to another person in the group. Now that
    person will have all priviledges temporarily (Note we are not
    talking about logging in as manager, the person will continually
    login as himself, but will have priviledges of manager.) Is there
    any cleaner way to do it other than just creating special priviledges
    for that person and removing them when manager comes back.

    Can someone suggest a good way to do in the existing Acegi framework?
    Thanks in advance.

  • #2
    I think I should write a book on the ACL stuff. We need a collection of "ACL Design Patterns" for people to use. :-)

    Recall the two ACL related tables:

    Code:
    CREATE TABLE acl_object_identity (
         id IDENTITY NOT NULL,
         object_identity VARCHAR_IGNORECASE(250) NOT NULL,
         parent_object INTEGER,
         acl_class VARCHAR_IGNORECASE(250) NOT NULL,
         CONSTRAINT unique_object_identity UNIQUE(object_identity),
         FOREIGN KEY (parent_object) REFERENCES acl_object_identity(id)
    );
    
    CREATE TABLE acl_permission (
         id IDENTITY NOT NULL,
         acl_object_identity INTEGER NOT NULL,
         recipient VARCHAR_IGNORECASE(100) NOT NULL,
         mask INTEGER NOT NULL,
         CONSTRAINT unique_recipient UNIQUE(acl_object_identity, recipient),
         FOREIGN KEY (acl_object_identity) REFERENCES acl_object_identity(id)
    );
    Basically, you'd have a hierarchy of objects (ie acl_object_identity entries) with follows the organisational department hierarchy. Employees and managers (ie Person entities) would appear within their unit (ie OrgUnit). Take this org structure:

    Corporation --> Information Systems --> Tech Operations --> Helpdesk

    Jane is the CEO (at Corporation level)
    James in the CIO (at Information Systems level)
    Jenny is the Helpdesk manager (Helpdesk level)
    Bob is a Helpdesk officer (Helpdesk level)

    Thus, your acl_object_identity would be:

    OrgUnit Corporation's parent = null
    OrgUnit Information Systems' parent = Corporation
    OrgUnit Tech Operations' parent = Information Systems
    OrgUnit Helpdesk's parent = Tech Operations
    Person Jane's parent = Corporation
    Person James' parent = Information Systems
    Person Jenny's parent = Helpdesk
    Person Bob's parent = Helpdesk

    NB: The parent is from a PERMISSIONING level - NOT from an object relational level. The two concepts are totally different and not to be confused. acl_object_identity only cares about where effective ACLs should flow from one entity down to the next.

    Now you know how to represent your people and organisational units, it's nice and simple to apply permissions....

    When Persons are created, your services layer should generate (in additional to the correct acl_object_identity), an acl_permission giving that person access to the acl_object_identity.

    You'll also need a "manager administration" use case, which assigns a given person extra permissions over a given department and all sub-departments. Or deletes such extra permissions. All this would do is create an acl_permission for the relevant OrgUnit's corresponding acl_object_identity. Because your permission hierarchy is properly implemented, the rights will automatically flow down.

    There are variations as well. eg your "manager administration" use case could assign it to a ROLE_MANAGER_HELPDESK recipient, which obviously has permission to the helpdesk. As such when Jenny goes on holidays, Bob can be made a member of that role and immediately get the permissions.

    HTH

    Comment


    • #3
      RE: Instance based security

      Thanks Alex, indeed it will be a great if you can come up with a cook book or patterns for various security scenarios. I have another question about setting up groups. We have large application where individuals are separated into groups and we would like to setup permissions and access controls based on groups (for ease of management). Can you suggest a best way to add this to your framework.

      Also, if we separate our application into physical tier such as Web tier and application tier. Is there a way to propagate security context from web to application. For example, J2EE has Communication Secure Interoperability (CSIV2) standard to support propagation of security context. Is there an equivalent mechanism in your framework?
      Thanks in advance.

      Comment


      • #4
        Re: RE: Instance based security

        Originally posted by sbhatti
        Thanks Alex, indeed it will be a great if you can come up with a cook book or patterns for various security scenarios. I have another question about setting up groups. We have large application where individuals are separated into groups and we would like to setup permissions and access controls based on groups (for ease of management). Can you suggest a best way to add this to your framework.
        http://forum.springframework.org/viewtopic.php?t=3668
        http://forum.springframework.org/viewtopic.php?t=674

        Originally posted by sbhatti
        Also, if we separate our application into physical tier such as Web tier and application tier. Is there a way to propagate security context from web to application. For example, J2EE has Communication Secure Interoperability (CSIV2) standard to support propagation of security context. Is there an equivalent mechanism in your framework?
        Thanks in advance.
        http://acegisecurity.sourceforge.net...e-summary.html
        http://acegisecurity.sourceforge.net...e-summary.html

        HTH
        Ben

        Comment

        Working...
        X