Permissions 哪个门禁系统适合进行动态多层安全检查?
我有RESTful API和微服务架构。例如—Permissions 哪个门禁系统适合进行动态多层安全检查?,permissions,access-control,user-permissions,rbac,abac,xacml,alfa,Permissions,Access Control,User Permissions,Rbac,Abac,Xacml,Alfa,我有RESTful API和微服务架构。例如— 身份验证服务 用户服务 产品服务 更多 目前,我正在通过JWT令牌验证请求,JWT令牌可以从Auth服务获得。现在,是实施访问控制系统的时候了 这是一个内部工具应用程序(相当复杂),我的主要想法是使用RBAC(基于角色的访问控制),但该应用程序不是传统的。在应用程序中,用户A可以与另一个用户B配对,一旦配对完成,用户A可以根据用户B的设置执行各种操作 因此权限不是静态的,它们基于其他变量。那么我应该选择ABAC/PBAC系统吗?有什么建议吗 关
- 身份验证服务
- 用户服务
- 产品服务
- 更多
- 主题-发送请求的人,例如用户A
- 对象访问什么?e、 g模块A
- 操作-读还是写?e、 g读取获取请求
- 环境-条件,例如针对哪个用户?(用户B)
namespace com.acme{
/**
* Tutorial 101 - a flat approach using 4 rules
*/
policyset recordsAccess{
apply firstApplicable
/**
* Records access control
*/
policy records{
target clause object.objectType == "record"
apply firstApplicable
/**
* R1 - A manager can view any records
*/
rule managersView{
target clause user.role == "manager" and action.actionId == "view"
permit
}
/**
* R2 - An employee can view a record in their own department
*/
rule employeesView{
target clause user.role == "employee" and action.actionId == "view"
condition user.department == record.department
permit
}
/**
* R3 - An employee can edit a record they own, if it is in draft mode
*/
rule employeeEdit{
target clause user.role == "employee" and action.actionId == "edit" and record.status == "draft"
condition com.acme.record.owner == com.acme.user.employeeId
permit
}
/**
* R4 - A manager can publish a record if the record is in final
* mode and it belongs to a employee below that manager.
*/
rule managerPublish{
target clause user.role == "manager" and action.actionId == "publish"
condition stringIsIn(stringOneAndOnly(com.acme.record.owner),com.acme.user.subordinate)
permit
}
}
}
}