fine-grain authorization controls
The purpose of logical access control is to protect objects—be they data, services, executable applications, network devices, or some other type of information technology—from unauthorized operations. These operations may include discovering, reading, creating, editing, deleting, and executing objects. These objects are owned by an individual or organization and have some inherent value that motivates those owners to protect them. As owners of the objects, they have the authority to establish a policy that describes what operations may be performed upon those objects, by whom, and in what context those subjects may perform those operations.
- share permissions between UI, API and microservices
- support claim-based and A-BAC
- preferrably typed
- Tree shakable (good to organize mess generated by JS) < 10KB
- R-BAC role
- A-BAC attribute P-BAC policy | C-BAC claim (microsoft specific terminology)
- U-BAC user
- C-BAC context
- R-BAC rule
- T-BAC time
Attribute based access control, Subject/Action based
Attributes
-
Subject - actor
-
Object - resource unit you want to protect
-
Action - access, allow/deny Policy
-
Environment conditions - time, compression, cache, network, geo-location
-
policy model on attributes
-
google implements IAM using A-BAC model
-
relatively newer than R-BAC (1992), A-BAC (2003) with emergence of SOA
In this model, access permissions are assigned to roles and, in turn, roles are allocated to subjects. RBAC is an access control mechanism based on the rationale that access rights are assigned to roles, rather than to the subjects that perform these roles [1-5]. This approach is attractive for concisely describing authorization, particularly within organizations, because responsibilities are often assigned to employees (subjects) based on their duties (roles)
- operated on ability-level
- can implement feature-toggle
- conduct A/B testing
- implement rule-based business logic, disallow user to watch video if subscription has expired
- restrict database queries
@casl/ability/extra