-
Notifications
You must be signed in to change notification settings - Fork 9
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
83 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,83 @@ | ||
| # Role Based Access Control (RBAC) | ||
|
|
||
| _Understand_ the fundamentals of Role Based Access Control (RBAC) | ||
|
|
||
| ## Why? | ||
|
|
||
| RBAC lets you easily manage roles and permissions in any application | ||
| and see at a glance exactly permissions a person has in the system. | ||
| It reduces complexity over traditional | ||
| Access Control List (ACL) based permissions systems. | ||
|
|
||
|
|
||
| ## What? | ||
|
|
||
| The purpose of RBAC is to provide a framework | ||
| for application administrators and developers | ||
| to manage the permissions assigned to the people using the App(s). | ||
|
|
||
| Each role granted just enough flexibility and permissions | ||
| to perform the tasks required for their job, | ||
| this helps enforce the | ||
| [principal of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege) | ||
|
|
||
| The RBAC methodology is based on a set of three principal rules | ||
| that govern access to systems: | ||
|
|
||
| 1. **Role Assignment**: | ||
| Each transaction or operation can only be carried out | ||
| if the person has assumed the appropriate role. | ||
| An operation is defined as any action taken | ||
| with respect to a system or network object that is protected by RBAC. | ||
| Roles may be assigned by a separate party | ||
| or selected by the person attempting to perform the action. | ||
|
|
||
| 2. **Role Authorization**: | ||
| The purpose of role authorization | ||
| is to ensure that people can only assume a role | ||
| for which they have been given the appropriate authorization. | ||
| When a person assumes a role, | ||
| they must do so with authorization from an administrator. | ||
|
|
||
| 3. **Transaction Authorization**: | ||
| An operation can only be completed | ||
| if the person attempting to complete the transaction | ||
| possesses the appropriate role. | ||
|
|
||
|
|
||
| ## Who? | ||
|
|
||
| Anyone who is interested in developing secure multi-user applications | ||
| should learn about RBAC. | ||
|
|
||
|
|
||
| ## _How_? | ||
|
|
||
| Let's create the Database Schemas (Tables) to store our RBAC data, | ||
| starting with **`Roles`**: | ||
|
|
||
| ``` | ||
| mix phx.gen.html Ctx Role roles name:string desc:string person_id:references:people | ||
| ``` | ||
|
|
||
|
|
||
| ``` | ||
| mix phx.gen.html Ctx Permission permissions name:string desc:string person_id:references:people | ||
| ``` | ||
|
|
||
| Next create the **`many-to-many`** relationship between roles and permissions. | ||
|
|
||
| ``` | ||
| mix ecto.gen.migration create_role_permissions | ||
| ``` | ||
|
|
||
| Now create the **`many-to-many`** relationship between people and roles. | ||
|
|
||
|
|
||
|
|
||
|
|
||
| ## Recommended Reading | ||
|
|
||
| + https://en.wikipedia.org/wiki/Role-based_access_control | ||
| + https://www.sumologic.com/glossary/role-based-access-control | ||
| + https://medium.com/@adriennedomingus/role-based-access-control-rbac-permissions-vs-roles-55f1f0051468 |