Role Based Permission Control (RBAC) is widely used security module in the industry, including Oracle, Microsoft Exchange Server (some form of it). When MAC and DAC unable to address business rule, a concept of RBAC is brought into practice. In this model, users are not assigned permission directly but acquire from their role(s). Role, which is created for job function in organization and each role are designated to perform set of operations. En employee can perform operation, which is assigned to his/her role(s). So, it is pretty straight forward.
I have implemented lightweight form of RBAC (lightweight is my personal terminology). It’s lightweight because it exactly address need of web application. RBAC itself is very huge while implementing whole features, it’s like giant elephant. In phpBricks, RBAC is included in user component. As shown in figure bellow, it consists of Users, Roles, Permissions and Resource Registry (Operations).
- Users: Subject which access application. A user can have multiple roles e.g. Forum editor and CMS editor.
- Roles: Job title which consists list of operations (job). Roles can be two type, black list or white list (allow list or deny list)
- Permission: Indicate approval to access resources.
- Resource Registry: List of operations (action, also called method) which is grouped into component and module. Method represent actual operation or function where component and module are packges. phpBricks is smart that it collect all components, modules and methods, then build registry automatically so programmer don’t need to worry about accounting all these.
How to define?
From back-end when you access RBAC, it shows matrix of roles and resources (operations). Simply you can tick on check-box to allow or deny access. One important thing to remember is that role type. By default all operations are allowed in black-list role and all operations are denied in white-list roles. So by selecting operation under black-list role, you are banning access, but in white-list you are allowing.
How it works?
Resource is always identified by three parameters i.e. component, module and actions knows as CMA (fourth is optional i.e. primary key for advance business rule). So, whenever user try perform certain operation, based on CMA phpBricks authenticates.
What next?
Checking permission on realtime basis while access request is made, can cause performance to be slow. So, I am thinking permission caching technique.
Recommended reading:
Role-Based Access Control by David F. Ferraiolo (can be found it in Amazon)
Note:
In above text, following terminology may be confused while used interchangeably.
Operation=Function=Resource=Action=Method
Great!!! Keep it up bro;