8 Identity-based access control

 

This chapter covers

  • Organizing users into groups
  • Simplifying permissions with role-based access control
  • Implementing more complex policies with attribute-based access control
  • Centralizing policy management with a policy engine

As Natter has grown, the number of access control list (ACL, chapter 3) entries has grown too. ACLs are simple, but as the number of users and objects that can be accessed through an API grows, the number of ACL entries grows along with them. If you have a million users and a million objects, then in the worst case you could end up with a billion ACL entries listing the individual permissions of each user for each object. Though that approach can work with fewer users, it becomes more of a problem as the user base grows. This problem is particularly bad if permissions are centrally managed by a system administrator (mandatory access control, or MAC, as discussed in chapter 7), rather than determined by individual users (discretionary access control, DAC). If permissions are not removed when no longer required, users can end up accumulating privileges, violating the principle of least privilege. In this chapter you’ll learn about alternative ways of organizing permissions in the identity-based access control model. In chapter 9 we’ll look at alternative non-identity-based access control models.

8.1   Users and groups

 

8.1.1   LDAP groups

 

8.2   Role-based access control

 
 

8.2.1   Mapping roles to permissions

 

8.2.2   Static roles

 

8.2.3   Determining user roles

 
 
 

8.2.4   Dynamic roles

 
 

8.3   Attribute-based access control

 
 
 

8.3.1   Combining decisions

 
 
 

8.3.2   Implementing ABAC decisions

 
 
 
 

8.3.3   Policy agents and API gateways

 
 
 

8.3.4   Distributed policy enforcement and XACML

 

8.3.5   Best practices for ABAC

 
 
 

8.4   Summary

 
 
 
 
sitemap

Unable to load book!

The book could not be loaded.

(try again in a couple of minutes)

manning.com homepage
test yourself with a liveTest