Reputation: 33
How to grant access to specific resources?
The problem: I have a set of informations that some users have to access them through my Web Application. Let's say that I have resources A, B, C of the same type T and the users are X, Y, Z. The business states that a user can access this resources like in the table below.
User -> Resources
X -> A
Y -> A C
Z -> A B C
A real world example will be something like this:
- User X can see all Hypermarkets from L.A.
- User Y can see all Hypermarkets from L.A. and Chicago
- User Z can see all Hypermarkets from L.A., Chicago and N.Y.
Another thing to mention is that at any time, to user X could be granted access to see the Hypermarkets from N.Y. too.
The question: How do I implement the authorization system so that it allows me to grant access to a user to a specific set of resources?
My first ideas:
Since I am going to use ASP.NET MVC and Web API, my first thoughts were to use Role-Based Authorization. After that, I found this article on how to extend the concept of Role-Based Authorization to a so called "Activity"-Based Authorization.
But, even this solution is not right for my business because in my code I must have one function called GetAllHypermarkets with no parameters, that will return all the Hypermarkets that the user is allowed to see. For example, for user X it will return only Hypermarkets from L.A. How can I achieve this?
Upvotes: 1
Views: 543
Answers (1)
Reputation: 26129
There are many funny terms which can help you:
- ABAC - attribute based access control
- PBAC - policy based access control
- RAdAC - risk-adaptive access control
- SitBAC - situation based access control
I guess everybody wants to have a named access control solution by security professionals, that's why the huge amount of names with hard to understand specifications...
AFAIK from these ABAC is the most elaborated solution. For example there is even a markup language which supports ABAC... I suggest you to use the google or https://security.stackexchange.com/ for further details, because I am not a security expert, so I probably have wrong informations about these terms. I would send a "what's the difference" type question in your name, but they would kick my ass with 1000 downvotes I guess...
Upvotes: 1
Related Questions
- How to use access tokens to get authorization to access REST APIs
- Resource Based authorization for a list of reosurces?
- Resource based authorization in .net
- Authorizing access to resource in a REST API
- REST API - How to restrict access to resources by role?
- Authorization in Restful apis
- Authorization of Web Api
- ASP.NET Web API and Authorization
- Claims authorization for specific resources
- Authorization in ASP.NET Web API: Return data specific to authorized user