Skip to content
This repository has been archived by the owner on Apr 22, 2023. It is now read-only.

ACL RULES

Jump to bottom
Nyambati Thomas edited this page Nov 14, 2016 · 1 revision

How to write ACL rules

Designing a good ACL is important to ensure that your application traffic is handled well and effectively. In this page, I am going to show you how to design a good ACL based on your application needs.

Assuming you have a blog application, and you want to make blogs read only, deny user ability to delete their own account. You want the admin to have all the access on resources.

solution:

admin:
  resource: all
  methods: all
  action: allow

user:
  resource: users
  methods:
    - DELETE
  action: deny

  resource: blogs
  methods:
    - GET
  action: allow

Explanation

The admin group has access to all resource and can perform all operation on any resource. Therefore, we need to allow all resources and methods. However, the user group is allowed to only read the blogs, create, read and update their own user profiles. You may ask, why did we apply deny action on DELETE method instead of allowing other HTTP methods? In express-acl when you allow one method, you automatically deny access to the other methods and when you deny one you allow the remaining methods. Thus denying one method is faster than allowing three or four methods. When it comes to blogs we only need them to read therefore we allow GET methods which means the other methods are denied.

For you to formulate good ACL rules, you need to understand the princple of negation. To allow is to deny and to deny is to allow, confusing right? how can you deny and allow at the same time?. Lets look at this example, if I have 4 methods POST, GET, PUT, DELETE and I deny POST. This is same as saying allow GET,PUT,DELETE and if I allow POST is same as saying deny GET,PUT,DELETE.

Now that we have established that lets write our config file. Our nacl.json will look like this:

{
   "group": "admin",
   "permissions": [{
     "resource": "*",
     "methods": "*",
     "action": "allow"
   }]
 },
 {
   "group": "user",
   "permissions": [
   {
     "resource": "users",
     "methods": [
       "DELETE",
     ],
    "action":"deny"
   }, 
   {
     "resource": "users",
     "methods": [
       "GET",
     ],
    "action": "allow"
   }]
 }]

YAML syntax

# Admin user group
- group: admin
  permissions:
    - resource: '*'
      methods: '*'
# User user group
- group: user
  permissions:
    - resource: users
      methods:
        - DELETE
      action: deny

    - resource: 'blogs'
      methods:
        - GET
      action: allow

©copyright No one cares.....

Clone this wiki locally