I'd like to make a system with granular permissions so
Is there a way to make groups of claims and assign them to a role so when a user gets a role it gets all the claims?
Is it possible to create groups of claims or am I misunderstanding something?
I'm failling to find the purpose of claims.
This could be done using groups with various roles and the roles are gonna be the permissions, right? This is the way I should do it? Since roles per se are claims.
Following steps can solve your problem
Create granular level of roles...typically for each action
Group them up into GroupRoles...so that admin can easily manage it
Add individual level claims to user for specific permission
Some good examples of the same are below
http://www.3pillarglobal.com/insights/granular-level-user-and-role-management-using-asp-net-identity
http://bitoftech.net/2015/03/11/asp-net-identity-2-1-roles-based-authorization-authentication-asp-net-web-api/
Hope this solves your problem
Related
I am using FOSUserBundle in my Symfony2 project.
My goal is to make the teams consist with multiple users. Users are invites by administrator (owner) by e-mail confirmation.
If a user belongs to one team, can't set up new accounts using the same address. Of course, each user should have the opportunity to unsubscribe from the team.
Are there any ready-made solutions? I looked for Groups With FOSUserBundle.
Or do you have any good advice?
You were right, groups can be a good ready-to-use solution to make your logic.
The association is already setup and it's also easy to extend.
The documentation (now part of Symfony's doc) contains a great guide to use groups.
Of course, you can make your own entity, take example from the FOSUB User->Group logic (association) .
You should see the Security and Roles part of the documentation to manage authorisations of your different kind of users.
You can assign roles to your different groups, and make your users directly inherit the roles of their group for manage access permissions.
For the confirmation email, see the corresponding documentation too .
And for the unsubscribing, just remove the association between the user you want remove from a Group and the Group (or Team).
This is also part of the association, see the doctrine documentation.
Good use.
I am building system and trying to decide between Voters and ACL. What I need to achieve is there should be users with different roles to access object properties, for example: A regular authenticated user could see Post and it contents but not it's "Position" attribute, and User with editor role could also see the Post and it's contents, and have permision to see "Position" attribute and edit it.
Can I achieve this functionality by using voters alone, or I need to use ACL?
EDIT:
I'm sorry for confusing question, I'm new to symfony and don't quite yet understand those concepts. What I wan't to achieve is permissions in object field level.
Regular user can access "TITLE" and "CONTENT" properties, and modify "CONTENT" property", moderator can view and edit, both of previous properties, and admin should have access to all object properties, and do whatever with them.
The docs only explain how to check access on objects rather than properties.
I'll explain the decisions I make when choosing between voters or ACL. Next I'll explain how you can use (Hierachy) voters to achieve your goal.
When users simply have or don't have access to a object based on a role, access can be performed using the firewall and is the simplest solution.
However when access depends on a per object basis under certain rules a Voter should be used. An example, Users can only edit a post when they created it. But moderators should always be ably to edit a post.
The most difficult of access control is when a user can be granted access by an other user. For example, an admin can assign users to a post and grant them edit permissions. This is a solution where access can't be decided based purely on the role of the user. The access/permissions need to be stored per user for an object. This is what ACL does. It stores permissions on objects in the database per user.
As for your problem.
Mostly these kind of uses are handled in the code itself. I've seen a lot of different forms for an entity. UserPostFormType, ModeratorPostFormType and AdminPostFormType. This isn't very dry as you can see. And checking the type of user in the code
Consider defining roles and manage them using hierarchy.
Define separate roles per property per action.
Thus define the following roles.
ROLE_ID_VIEW
ROLE_ID_EDIT
ROLE_TITLE_VIEW
ROLE_TITLE_EDIT
...
You can then assign these roles to the correct user role.
security:
role_hierarchy:
ROLE_USER: [ROLE_TITLE_VIEW, ROLE_CONTENT_VIEW, ROLE_CONTENT_EDIT]
ROLE_MODERATOR: [ROLE_USER, ROLE_TITLE_EDIT]
ROLE_ADMIN: [ROLE_MODERATOR, ROLE_ID_EDIT, ROLE_ID_VIEW]
You can now use the Hierarchy Voter to check if a user can modify or view a certain property.
The cleanest solution would be to create a Listener on you form which adds fields on your forms based the permissions the current user has.
Voters have nothing to do with ACL. Voters concern is route access whereas ACL concern is object read/write access.So it's not one or the other because they dont have anything to do with each other.
I am trying to understand access control based on RBAC model. I referred to the following link.
NIST RBAC Data Model
I haven't understood this part clearly as mentioned in the excerpt -
*"Each session is a mapping of one user to possibly many roles, i.e., a user establishes a session during which the user activates some subset of roles that he or she is assigned. Each session is associated with a single user and each user is associated with one or more sessions. The function session_roles gives us the roles activated by the session and the function user_sessions gives us the set of sessions that are associated with a user. The permissions available to the user are the permissions assigned to the roles that are activated across all the user.s sessions."*
Question - How can session be used to activate roles ? The relationship between the user / group and roles are inserted as admin data. So, how does session activate subset of roles for a user ?
P.S -> I asked this question earlier here but without an answer. May be this question is too basic to ask but I am keen to understand it. Any use case or a link will definitely be helpful.
Thanks for your time.
In RBAC, administrators give permissions by assigning them to roles, and in addition by assigning roles to users. As you know, for a user to be able to use a particular permission, he will have to have been assigned at least one role that provides said solution.
So each user has a set of roles assigned to him. During a session, he can choose to activate (or deactivate) any of these roles, but no other. The activated roles determine which permissions are available to the user at a given time during the session. This is useful, for example, for dynamic separation of duty constraints, where two roles A and B can be assigned to the same user U, but can't be used together. Therefore, if U wants to use A, he will have to deactivate B before activating A.
From my experience in implementing RBAC, I pretty much avoided using dynamic management of multi-sessions.
At first it sounded like a pretty neat and flexible idea, but as you questioned on who activates/deactivates roles (and when), I realized the complexity and security risks wasn't worth the effort (my personal opinion).
The important thing to understand here and for which #Imontriux (above) mentioned:
"This is useful, for example, for dynamic separation of duty
constraints, where two roles A and B can be assigned to the same user
U, but can't be used together. Therefore, if U wants to use A, he will
have to deactivate B before activating A."
Most of the time, there are separation of duty constraints that must apply and in order to honour this, I simply chose to only have/manage one valid session per user at a time. If a user wants to authenticate under different set of roles, he/she is responsible in logging out and logging back in.
It pretty much simplified a lot of my code. It was a compromise I chose and could easily live with.
Hi Stack Community Members,
I am developing an application under MVC3 where users have department-specific CRUD privileges. In other words, all users can view data for all departments, but only certain users can make changes to the data for any one given department. User-department privilege data is held in a join table in a database.
What I typically do in this kind of situation (in PHP) is to create a Session variable (an array) on login which is populated with the id's of the departments which the user is allowed to edit. When a user then goes to access the editing feature a drop-down list is populated with only these specific departments. I also populate a few other session variables which are used frequently like the user's name and the id of the current time period (business quarter).
Is this type of approach a good way to go in MVC3, or is some alternative approach better? While I figure that I'm going to use Forms Authentication and some specific roles (employee, admin, etc.) these types of roles are just too broad to be able to target department-by-department access, and I'm not sure that MVC3 has an out-of-the-box method which is better than what I'm planning to do.
Your guidance is appreciated!
I'm using Forms Authentication, add specific roles, and combine them if needed. I don't mind being specific for the roles, as they can be combined anyway I want. I can still have broad roles for more general actions.
I store similar data (UserId, DepartmentId, etc) in session since it does not change for the user and it is a small amount of data. It is my opinion that session state would be a good approach for you also.
If I am using asp.net's built-in membership provider, then how can I store arbitrary user-info while using CreateUserWizard control?
Suppose I have three types of users in my application: Student, Teacher and Staff. I want to store a flag for every user to distinguish their types while creating a user through CreateUserWizard - control.
How to do that?
Short answer: use Profile.
Use a user profile to store user information. It looks as though you are creating a role based on the person logging in in this case. If this is true perhaps using / setting a role is the better approach on this.
You should probably have a look at this long series on the Asp.Net Membership, Roles, and Profiles. It should have more then enough information to get you what you are trying to do.
Part 6 specifically covers the Profile portion.
https://web.archive.org/web/20210513220018/http://aspnet.4guysfromrolla.com/articles/120705-1.aspx
I agree with #klabranche, using roles is the perfect solution for "types of users" (Student, Teacher and Staff).
I haven't done it with CreateUserWizard, but it should be pretty straightforward: How to Add Users to Roles Using the CreateUserWizard.