Reputation: 1186
Can data access control over a page wipe the need for RBAC restriction on it?
Developing an access control for a Web Application, we have adopted RBAC. based on which each page and action is supposed to have an assigned permission to check its accessibility by the current user as a physical component, but this approach may lead to permissions conflicts when having a data level access, or for example when having a dynamically assigned privileges like Workflows.
For example, a tasks list page that anybody can access to see his own tasks will show nothing as long as the user does not have access to any task, in this case is it still recommended to restrict the access to the page itself based on roles? same concern applies to the task details pages themselves. If we added the RBAC restriction, then we will need to add a specific logic either by prioritizing data access regulations or by doing frequent changes to RBAC on runtime, which is an effort that doesn't worth it!
The question then is: Can we exempt specific pages from the physical access restriction as long as they are fully controlled by data access? or we have to leave both and deal with it!?
Upvotes: 1
Views: 33
Answers (0)
Related Questions
- RBAC + ABAC hybrid access control model
- Designing a role based access control with support for relations
- How does an access control mechanism (e.g., RBAC or ABAC) protect resources?
- Is ASP.NET role based security a true role based access control system?
- <authorization> can protect pages?
- Is an ACL always required?
- Resource Based Access Control vs Role Based Access Control
- User access control for particular page?
- Non RBAC User Roles and Permissions System: a role with properties
- ASP.Net Roles: Page-Level Security Question