Fine Grained Authorisation with Relationship-Based Access Control - Ben Dechrai - NDC Porto 2023
HTML-код
- Опубликовано: 10 фев 2025
- This talk was recorded at NDC Porto in Porto, Portugal. #ndcporto #ndcconferences #security #cloud #developer #softwaredeveloper
Attend the next NDC conference near you:
ndcconferences...
ndcporto.com/
Subscribe to our RUclips channel and learn every day:
/@NDC
Follow our Social Media!
/ ndcconferences
/ ndc_conferences
/ ndc_conferences
Should this user be able to read that article? Who is allowed to tag me in a social media post? How can I share this document with everyone who has access to the parent folder?
Authorisation is hard, let's face it. Role-based access control is a great starting point, but hard to scale. Attribute-based access control scales better, but neither are much good at answering more complex conditions, like limiting access to friends-of-friends, meaning we have to wrap this up into business logic.
This is where relationship-based access control (ReBAC) comes in, allowing nuanced access to resources without codifying that into the applications.
In this session, we'll look at how to define these relationships, experience live demos, and discover how we can deploy our own fine-grained authorisation service.
How do you deal with a bunch of records from DB with READ access in RBAC? Do you fetch them all and do RBAC for each of them in the code? Or compile your RBAC rules into SQL filter clauses so the filter happens in DB to avoid fetching all records?
I mean ReBAC
Yeah, it's a complex SQL filter in my experience. I have been working at a company that had support for complex permissions based on a matrix organization structure, and it was painful to support.