StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
text
Body
copied!<p>You need to look beyond ACL and RBAC and consider attribute-based access control (ABAC - see NIST's guide <a href="http://csrc.nist.gov/projects/abac/" rel="nofollow">here</a>). Gartner calls this space "externalized authorization management".</p> <p>With ABAC, you can easily express any rules that take into account not just who the user is but also what the user wants to do, where, when, why, and how. Using attributes to define authorization, you can use XACML to implement policies. <a href="https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml" rel="nofollow">XACML</a> is an OASIS standard (just like SAML).</p> <p>With XACML, you get an API where you can ask questions e.g.: <em>can Alice view this record?</em> But in your case, it's not enough because you want to filter out records from the database. And, as you describe, you want the query to be the right from the start rather than going back and forth to the database until you have the right number of authorized records. This is where XACML becomes particularly interesting because it's technology-neutral. You can apply XACML to Java, C#, and other languages e.g. Python but also apply XACML to different layers (presentation, APIs, and... databases). XACML can be queried in a reverse query way to produce a SQL statement which you could then use to query your backend database for the relevant records:</p> <ul> <li>Which records can Alice view?</li> <li>Alice can view records in California which yields "SELECT * FROM records WHERE location='CA'"</li> </ul> <p>HTH</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload