In the Yii framework, is accessControl and accessRules independent of RBAC? - frameworks

In Yii, there is an accessControl filter and a accessRules method that handle simple authorization to certain tasks. In my application, I have RBAC to authorize users into roles.
My question is should I use the accessControl filter and accessRules method in addition to RBAC or can I remove them and use RBAC exclusively?

You can make use of RBAC along with the accessRules() method by passing an array with the roles you want to check (of course, those roles need to be defined in your RBAC schema for it to work).
Further information on that: http://www.yiiframework.com/doc/api/1.1/CAccessControlFilter
Also you can use RBAC by its own, by calling Yii::app()->user->checkAccess() everytime you want to check if a user's got the permissions to access a resource, task or anything else.
I would recommend you to make use of accessRules + RBAC when you need to restrict access to controllers/actions according to user's roles, and use RBAC alone when it comes to a more granular access control.

Related

Include groups (along with roles) in Keycloak token?

Is there a way to include the list of groups a user is a member of inside a Keycloak access token, along with the roles they are in? I've created several groups and mapped them to roles. However, I may have more than 1 group that maps to a particular role. I'd like to be able to make fine-grained authorization decisions so I know that User A is in Role A but also Group B. Is that possible?
Found the answer to this right here. All I had to do was add an additional mapper to my Client. Worked like a charm.

How to manage Azure DevOps group permissions with REST API

I need to set group permissions by inheriting from another already existing group but it has to be coded. I've managed to create a group but I haven't found a way to edit their permissions, is there any way to do it using either Client libraries or the API resources?
I believe it should be possible to do it using SecurityHttpClient's function SetAccessControlListsAsync() or something similar to it but I'm not sure how to implement it.
It seems you are looking for Access Control Entries - Set Access Control Entries API, which is used to add or update ACEs in the ACL for the provided token.
More details, you can refer to the documentation below:
https://learn.microsoft.com/en-us/rest/api/azure/devops/security/?view=azure-devops-rest-5.0
I don't think it is possible for the APIs at the moment. I also can not find APIs which are used to set the permission for the group.
#Cece Dong - MSFT, in your response, the API is for security namespace of the organization, but it is not for a group. In another word, I can not find any relationship with the security namespace and group. I created a group in my project, but when i use this API to query all the security namespaces, i can not get the relative group info.

Role Activity & Access Level

I have developed a web application with following architecture:
Frontend : Angular 6
Backend : Java REST APIs with Springboot
I want to add authentication and authorization to it. For that I'm looking for some open source application (e.g. KeyCloak, Gluu etc.). I would like to know in which tool the below scenarios are supported.
There will be predefined set of Activities on UI (e.g. Add, Edit,
Delete etc)
There will be predefined Access Levels (e.g. Read, Write, No Access)
I should be able to create Roles, then assign activities and access levels to those roles and assign those roles to user.
Can you please help me to find out a tool which supports my above scenario?
I tried something for KeyCloak, but i couldn't find a way to add activities, access levels and map roles to it. I think everything there is governed by Role only.
I just realized that I need Activity based authorization and not Role based authorization. Please help me find some tool for that.
I'm not sure what is meant by activity based authorization but i suspect you actually mean permission based authorization, in example: Grant permissions to users to perform certain actions.
Shiro offers you permissions and role based authorization out of the box.
You can create roles, add permissions to these roles and assign them to a user. Supported are implicit and explicit roles, whereas one role can hold any number of permissions. You can even work with wildcards and group the permissions.
For more information you should take a look at the official Shiro entry and especially the web documentation for your project in particular. Shiro offers full support for Spring-Boot applications, you can find a HowTo here.
Shiro fully supports your described scenario.

Anyone knows how to give individual limited cluster access to users without using RBAC in kube 1.5.7?

I want to be able to give certain users limited access to the cluster. The admin user is in the kube config but i want to give access to individual users like "bob" but only to just a certain namespace etc. Is the possible without using RBAC?
you will need to use ABAC authorization mode: https://kubernetes.io/docs/admin/authorization/abac/

Permission control using apache shiro

I am new in apache shiro, and I read almost 60% of tutorials in apache shiro page.
It is a wonderful framework, however I wonder if it can meet my requirements.
I am interested in the permission-based authentication.
For example, to make sure if the user have the permission of delete resources, we can use this:
currentUser.isPermitted( "resource:delete" );
However in our application, even a user have the permission of delete resources, he can only delete some specified resources, not all of them.
For example(just an exmaple), the resource have an filed named createdby to record the one who create this resource.
Now user can only delete the resources created by himself if he have the resouce:delete permission.
In fact, the resources which can be deleted by the user(who have authenticated and have delete permission) will be calculated by more constraints.
Now how to make shiro work in this suitation?
You can do this in Shiro but you will have to write some code. Either create a subclass of Authorizer and inject it into the security manager or create a subclass of one of the realm classes such as JdbcRealm. Then override the isPermitted method. This will need to have access to your permissions model, for example the database table or a document in a NoSQL database.
Your call to isPermitted will need to specify the resource you are deleting so you can look it up in your overridden method.
If you override the isPermitted method in the AuthorizingRealm subclass you will have access to the logged in user's principals and the user's Roles: this gives you quite a bit of flexibility because you can have says: user (principal) Fred with roles: Manager, Administrator. Your permissions model can then decide if Fred, a Manager or and Administrator can perform the task on the specified resource.
Hope that gives you some ideas.
From the extent, I have explored Shiro, I don't think it gives that level of flexibility to have a customized check. It basically functions based on roles and permission defined in the config file.
For this functionality I would suggest that you display only those records the user is allowed to delete, by have this check at query fetch level. (or) add a condition at the UI level not display the delete button if logged in user is same as created by. This is just a suggestion.