main
Authz
Access Control Models
Access Controls provide a means of restricting access to objects based on the identity of subjects and/or groups to which they belong.
- Role-Based Access Control (RBAC)
- Relationship-Based Access Control (ReBAC)
- Attribute-Based Access Control (ABAC)
Authentication (Authn) is used to determine that users or systems are who they claim to be and provide proof in the form of identity principals and attributes.
Authorization (Authz) is used to decide what privileges an actor has within a system.
Policy
- What is a policy?
- Policy Language Evaluation
- Casbin
- Cedar
- Rego
Criteria for evaluating policy languages:
- Must be able to model different types of access control models (RBAC, ReBAC, ABAC)
- Must be able to perform static analysis
- Must be actively supported
- Must have concise documentation
- Must provide ability to extend language using Ruby/Golang for describing complex policies.
- Must have a compatible license that permits the way that we can use it.
Ideally, we must be able to model the following relationships:
| type | required |
|---|---|
user-to-resource |
required |
resource-to-resource |
required |
user-to-user |
not required |
Note: user-to-user relationships are not in the current access control model.
Architecture
------------------ ------- -------------
| Users/Services |--->| PEP |--->| Resources |
------------------ ------- -------------
| A
V |
------- ------------ -------
| PDP |-->| Policies |<---| PAP |
------- ------------ -------
| A A
V | |
------- -----------------
| PIP | | Administrator |
------- -----------------
PAP: Policy Administration Point
PDP: Policy Decision Point
PEP: Policy Enforcement Point
PIP: Policy Information Point