Give unique User rights for unique "resource"

[dominikstohl]

Hey everyone, your project looks very nice. But I have a special question: we have something like container-entities for collect sub-entities. A has differend B's and B's have different C's, everything 1:n. We want to grant access to a special User for a special entitiy, but its not the owner. Is this possible? Thank you! Dominik

[AleksandarFaraj]

Also interested in this.

[iNDicat0r]

@dominikstohl If I understood correctly, you need a policy/attribute based access control framework. accesscontrol works purely with roles(RBAC)

[jsardev]

@iNDicat0r accesscontrol is not purely RBAC, as it states in the docs.

[iNDicat0r]

@sarneeh I agree, but in accesscontrol permissions are assigned relative to the role, something which isn't a requirement in ABAC systems.

[jsardev]

@iNDicat0r ABAC is not too familiar to me so I didn't know the difference. Btw - are you aware of some ABAC example implementations? I was looking for something like that but can't find anything in the Node.js world.

[iNDicat0r]

@sarneeh https://github.com/ory/ladon is written in Go and is inspired by AWS IAM. You can write a standalone authorization server on top of it and use your nodejs app to communicate and ask for authorization.

[serhiisol]

This library doesn't implement ABAC. It gives simplified version of managing roles. Can you define attribute check in the library? You can't. See #8 and #12.

ABAC means that you need to validate attributes properly that have or not have certain values. Here's for example a library, that supports proper ABAC approach - https://github.com/YLuchaninov/PolicyLine#differences-from-other-libraries. Wiki page for reference.

[scandinave]

In my app, i have defined that user are like role that are prefix by "u-" in there name. So you can have a user u-admin that inherite from the role admin. It's not perfect but it works fine. Update library to handle role and user would be great. For access on a specific resource, you need to give own grant on a resource and store on your database which resources of this type the user have access. In my case i use a table with field resource_type and resource_pkey. So i can search for all resources of type foo that the user have access.

By doing this, you are clearly out of the scope of this library in it's actual version and it involve some development of your part but i haven't find better solution, except to used a big authorization solution like Keycloak.