I need to support Role Based Access Control (RBAC) in a system we''re porting to Rails, and was wondering if any such module already exists for Rails; or if anyone out there has similar needs and would like to work with me on building such a module. RBAC is an ANSI standard (ANSI INCITS 359-2004) that defines a small set of concepts (Users, Sessions, Roles, Privileges, Operations, and Objects) and the relationships between them to define the access rights users have to various actions and pieces of data in a system. NIST has a web site describing the standard (http://csrc.nist.gov/rbac) and a reasonable summary here http://csrc.nist.gov/rbac/alvarez.ppt The NIST site mentions that PHP has this implementation: http://www.tonymarston.net/php-mysql/role-based-access-control.html Googleing I see perhaps about half a dozen blogs talking about projects working on RBAC-for-rails; but most don''t have any recent activity since April so I''m not sure how far along they are or which projects are really live. Anyone know if such a thing already exists or if anyone out there has similar needs and would like to work with me on building such a module? Ron
Ron M <rm_rails@...> writes:> > I need to support Role Based Access Control (RBAC) in > a system we''re porting to Rails, and was wondering if > any such module already exists for Rails; or if anyone > out there has similar needs and would like to work with > me on building such a module. > > RBAC is an ANSI standard (ANSI INCITS 359-2004) that defines > a small set of concepts (Users, Sessions, Roles, Privileges, > Operations, and Objects) and the relationships between them > to define the access rights users have to various actions > and pieces of data in a system. > NIST has a web site describing the standard > (http://csrc.nist.gov/rbac) and a reasonable summary > here http://csrc.nist.gov/rbac/alvarez.ppt > > The NIST site mentions that PHP has this implementation: > http://www.tonymarston.net/php-mysql/role-based-access-control.html > > Googleing I see perhaps about half a dozen blogs talking > about projects working on RBAC-for-rails; but most don''t > have any recent activity since April so I''m not sure how > far along they are or which projects are really live. > > Anyone know if such a thing already exists or if anyone > out there has similar needs and would like to work with > me on building such a module? > > Ron >Hello Ron, I think I have similar needs. For a Rails app I am trying to build at the moment I have been implementing a ACL-based system with users, roles and permisssions. Roles can get assigned to users. For controllers I check with a before filter (before_filter :authorize) if a certain users is allowed to access a certain controller action. At the view level I have code which decides what view components to show according to the roles of the logged_in_user. What I now need is an approach for the data level - restricting/allowing access to records/fields according to roles/users. I am a rails and ruby newby (this rhymes :-) and thus don´t know if my approach is a good one. And I don´t know if I would be a help for a creating a RBAC component, but I am willing to help... :-) I think a generic Authentication and Authorization framework for Rails, which could be used on all levels of MVC would be a great thing. Govinda
I believe I''m in the same boat. I need to restrict users to certain actions/ menu subsets. I also have the following requirenments, ( don''t know if this fits the RBAC model ): 1. Department supervisor role can manage user accounts for his department and company. 2. Restrict a role to a subset of the data. Users in one department don''t need to see data from another department. Department supervisor shouldn''t have access to user accounts from another department. These are just examples of the granularity I am looking for. If this is similar to your requirements I''d be willing to collaborate. But, I am pretty new to this. On 8/2/05, Ron M <rm_rails-UcKGQH7FHzBMN/HSMNDb9vDyrmpsABaS@public.gmane.org> wrote:> > I need to support Role Based Access Control (RBAC) in > a system we''re porting to Rails, and was wondering if > any such module already exists for Rails; or if anyone > out there has similar needs and would like to work with > me on building such a module. > > > > RBAC is an ANSI standard (ANSI INCITS 359-2004) that defines > a small set of concepts (Users, Sessions, Roles, Privileges, > Operations, and Objects) and the relationships between them > to define the access rights users have to various actions > and pieces of data in a system. > NIST has a web site describing the standard > (http://csrc.nist.gov/rbac) and a reasonable summary > here http://csrc.nist.gov/rbac/alvarez.ppt > > > The NIST site mentions that PHP has this implementation: > http://www.tonymarston.net/php-mysql/role-based-access-control.html > > > > Googleing I see perhaps about half a dozen blogs talking > about projects working on RBAC-for-rails; but most don''t > have any recent activity since April so I''m not sure how > far along they are or which projects are really live. > > > Anyone know if such a thing already exists or if anyone > out there has similar needs and would like to work with > me on building such a module? > > Ron > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >-- Best Regards, -Larry "Work, work, work...there is no satisfactory alternative." --- E.Taft Benson _______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails
Toby Boudreaux
2005-Aug-03 12:50 UTC
Re: Role Based Access Control (RBAC) for ActiveRecord
Ron - Count me in if you start something up. I''ve already been sketching non-ANSI-compliant implementations for a couple of small Rails projects in the works currently, and have marked all my notes with things like "RBAC!" to remind myself later to work on a full implementation. On Aug 3, 2005, at 1:30 AM, Ron M wrote:> Anyone know if such a thing already exists or if anyone > out there has similar needs and would like to work with > me on building such a module? >_______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails
Hi Ron, At the moment I implemented a very basic ACL/RBAC implementation. It consists of permissions, roles and users. One going onto the other. And then just a quick check like authorized?(''new_pages'') which would allow them to add a new page. All of the permissions are named actionname_controllername so automatically each controller inherits this. But easily enough it can be overridden in each controller. It works well for me at the moment, but I still want to be able to have people in one group, but be able to remove them from certain permissions from that group, etc. I wouldn''t mind working on a good generator/gem for this. Dylan.> I need to support Role Based Access Control (RBAC) in > a system we''re porting to Rails, and was wondering if > any such module already exists for Rails; or if anyone > out there has similar needs and would like to work with > me on building such a module.
George Hotelling
2005-Aug-03 23:29 UTC
Re: Re: Role Based Access Control (RBAC) for ActiveRecord
On Aug 3, 2005, at 7:13 AM, Govinda wrote:> What I now need is an approach for the data level - restricting/ > allowing access > to records/fields according to roles/users.You might want to look at Bruce Perens'' ModelSecurity - http:// article.gmane.org/gmane.comp.lang.ruby.rails/16843 George
Jean-Christophe Michel
2005-Aug-04 07:33 UTC
Re: Role Based Access Control (RBAC) for ActiveRecord
Ron M wrote:> I need to support Role Based Access Control (RBAC) in > a system we''re porting to Rails, and was wondering if > any such module already exists for Rails; or if anyone > out there has similar needs and would like to work with > me on building such a module. >...> Anyone know if such a thing already exists or if anyone > out there has similar needs and would like to work with > me on building such a module?ActiveRbac was started already by alex, manuel and some of us. Probably first release soon. -- Jean-Christophe Michel
Govinda Pfister
2005-Aug-04 12:43 UTC
Re: Role Based Access Control (RBAC) for ActiveRecord
Hello Jean-Christophe, great that someone is already doing something... Can you tell us what the functionallity of this first ActiveRbac release is. And what are the future plans, roadmaps... ? Govinda rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org schrieb am 04.08.05 09:34:12: Ron M wrote: > I need to support Role Based Access Control (RBAC) in > a system we''re porting to Rails, and was wondering if > any such module already exists for Rails; or if anyone > out there has similar needs and would like to work with > me on building such a module. > ... > Anyone know if such a thing already exists or if anyone > out there has similar needs and wo uld like to work with > me on building such a module? ActiveRbac was started! already by alex, manuel and some of us. Probably first release soon. -- Jean-Christophe Michel _______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails Verschicken Sie romantische, coole und witzige Bilder per SMS! Jetzt bei WEB.DE FreeMail: http://f.web.de/?mc=021193 _______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails
Toby Boudreaux
2005-Aug-04 14:31 UTC
Re: Role Based Access Control (RBAC) for ActiveRecord
Access control to content items, db records, etc, is something that many folks need, I''m sure. Roles alone aren''t good enough in many cases. We should definitely build something to suit these needs as well as simple access to actions. On Aug 3, 2005, at 7:06 PM, Dylan Egan wrote:> Hi Ron, > > At the moment I implemented a very basic ACL/RBAC implementation. > It consists of permissions, roles and users. One going onto the > other. And then just a quick check like authorized?(''new_pages'') > which would allow them to add a new page. All of the permissions > are named actionname_controllername so automatically each > controller inherits this. But easily enough it can be overridden in > each controller. It works well for me at the moment, but I still > want to be able to have people in one group, but be able to remove > them from certain permissions from that group, etc. I wouldn''t mind > working on a good generator/gem for this. > > Dylan. > > >> I need to support Role Based Access Control (RBAC) in >> a system we''re porting to Rails, and was wondering if >> any such module already exists for Rails; or if anyone >> out there has similar needs and would like to work with >> me on building such a module. >> > > > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >
> Can you tell us what the functionallity of this first ActiveRbac > release is. And what are the future plans, roadmaps... ?The 2 second version is: complete but functional hierarchical RBAC system with groups and a unified user model, sufficient to support small and large scale ecommerce and publishing systems. All of the features people mentioned earlier in this thread are things we intend to implement. I''m completely slammed today, or else I would use this as a kick in the butt to do a more serious roadmap, I fear it will be next week until I complete that... but so far it looks good :) I have invited a few people to look at the install, if you would like access to the trac project and the wiki please email me a request off-list. ----------- Our spec is below, here''s a hack roadmap: 1.0 - basic functional RBAC layer with no resource (i.e. ActiveRecord) protection - only action protection - basic UI - full roles, groups & users - 1:3 - 1:6 code:test ratio 2.0 -really cool UI for doing all kinds of stuff with groups etc -AR integration (perhaps / hopefully with ModelSecurity so it''s a unified system) ... more ----------------------------------------------- LOCKED unless there are further comments This wiki page gives an informal but complete specification of the RBAC system. It basically is the system we had in binarycloud and has been extended in some parts. This pages assumes that you have a basic understanding of RBAC. See [csrc-nist] and [bc-auth] for an introduction. Naming Conventions All this basically follows Ruby On Rails database naming schemas. We chose title instead of name in some places for properties because of name being a not overrideable SQL keyword in some databases. Overview The RBAC implementation in ActiveRBAC consists of the following parts: • users • groups • roles • permissions Users represent all entities that uses the system. This can be humans as well as other programs accessing a system. Groups contain an arbitrary number of users and are mainly there for structuring users. Groups may also contain groups as to manage a large number of groups. Permissions represent the rights to access a certain resource with a certain action, for example "user may edit article created by him". Permissions are assigned to roles. Roles are arranged in a tree where the parent-child relation is similar to the one found in the object model: Roles inherit the permissions by their ancestors. Permissions are granted to roles and roles can be assigned to users or groups. When a role is assigned to a user, he is granted all permissions the role is granted. When a role is assigned to a group, the role is assigned to all users in this group or children of this group and thus all permissions to this role are granted to the users in these groups. Users ActiveRBAC is developed for small to medium sized web CMS and web shops. Thus, the user table is designed for web applications: The authentication data is stored in the databse and authentication against other credential sources like ActiveDirectory? (speak: Windows Domains) or LDAP servers is intended in the first revisions. Users have the following properties: • id: The user''s unique id • created_at: Timestamp of the user''s creation • updated_at: Timestamp of user record''s last change • last_logged_in_at: Timestamp of the last login • login_failure_count: The number of failed logins since the last successful one • login: The name of the user • email: The email address of the user • password_hash_type: The hash method to use to encrypt the given password; currently only ''sha1'' and ''md5'' are supported • password: The password of the user, hashed with the given hash method • state: The user''s current state; currently allowed values are: ◦ 1: unconfirmed, the user has registered but not confirmed his registration via email; he cannot log in ◦ 2: confirmed, the user has confirmed his registration and he can log in ◦ 3: locked, the user''s account has been locked; the record still exists but the user can''t log in any more ◦ 4: deleted, the user''s account has been deleted: the user unregistered himself ◦ 5: confirmed, lost password, the user has lost his password and it has been sent to him via email. After logging in, he has to change it immediately or he cannot proceed. Groups Groups structure the set of users. A group is fairly simple: • id: The group''s unique ID • title: The group''s name • parent_id: The id of the group''s parent; NULL if it is a root group Roles Roles are the same like groups. The reasons for them being in another table is to emphasize the semantical difference between roles and groups and because roles should not be assigned to roles. A role has the following properties: • id: The role''s unique ID • title: The role''s name • parent_id: The id of the group''s parent; NULL if it is a root role Permissions Permissions grant the access to a given resource. Most of the time, this will be a record in the database. However, this is pretty complex since you can hardly forsee all record types (and with ActiveRBAC being a general framework, it''s impossible). The (Future) Complex Solutions There are two different ways to grant permissions flexibly: First, we could create a permission table for each record type. While this might seem the cleanest at first, it creates a lot of n:m relations for each role granted the permission. An example could be an article typed stored in the table article and the permission table looks like the following: CREATE TABLE article_permissions ( id BIGSERIAL NOT NULL, article_id BIGINT NOT NULL, role_id BIGINT NOT NULL ); Having the same table in the database over and over again is not really satisfying. Having a central table and storing the "target type''s" name in the table is simpler (and does not hurt any normalization or is bad style to our knowledge): CREATE TABLE permissions ( id BIGSERIAL NOT NULL, target_table CHARACTER VARYING (200) NOT NULL, target_id BIGINT NOT NULL, role_id BIGINT NOT NULL ); However, since this becomes fairly complex and requires to add much more to the framework like Ruby functions to declaratively mark an ActiveRecord? as authorizeable and so on, we simply do not do it at first (later, speak >= 2.0). The Pragmatic Solution For now, the following simple solution is enough. We simply have a StaticPermission class that has the following properties: • id: A unique id for AR which needs it • title: The name of the permission • role_id: The id of the role to assign this permission to Permissions can be checked by their name then in Ruby code. Implementing the sufficient Ruby magic, you could do something like the following: user = User.find(@id) article = Article.find(@article_id) unless user.has_permission? ''Article.EditOwnArticles'' and article.author == user # Balk about error end Relations There is a roles_users, a groups_users and a groups_roles table to hold the n:m relations between users, groups and roles. Schema The following is the current SQL schema for the data structures described in this document (PostgreSQL dialect): CREATE TABLE users ( id BIGSERIAL NOT NULL, -- Some statistics about the user data created_at TIMESTAMP NOT NULL, updated_at TIMESTAMP NOT NULL, last_logged_in_at TIMESTAMP NOT NULL, login_failure_count INT NOT NULL, -- Important information: login name, email and encrypted password login CHARACTER VARYING (100) NOT NULL, email CHARACTER VARYING (200) NOT NULL, password CHARACTER VARYING (100) NOT NULL, -- What hashing method did we use to hash the password? SHA-1, MD5, etc.? password_hash_type CHARACTER VARYING (20) NOT NULL, -- The account''s state. The stock types are "1: unconfirmed", "2: confirmed" -- "3: locked", "4: deleted", "4: confirmed, lost password" state INTEGER NOT NULL DEFAULT 1, PRIMARY KEY (id), UNIQUE (login) ); CREATE INDEX users_login_index ON users (login); CREATE INDEX users_password_index ON users (password); -- This table holds the "user registration" data, i.e. the token the -- user needs to know to confirm his registration. CREATE TABLE user_registrations ( id BIGSERIAL NOT NULL, -- superflous, but AR needs it user_id BIGINT NOT NULL, token TEXT NOT NULL, created_at TIMESTAMP NOT NULL, expires_at TIMESTAMP NOT NULL, PRIMARY KEY (id), FOREIGN KEY (user_id) REFERENCES users (id) ON DELETE CASCADE, UNIQUE (user_id) ); CREATE INDEX user_registrations_user_id_index ON user_registrations (user_id); CREATE INDEX user_registration_expires_at_index ON user_registrations (expires_at); CREATE TABLE roles ( id BIGSERIAL NOT NULL, created_at TIMESTAMP NOT NULL, updated_at TIMESTAMP NOT NULL, title CHARACTER VARYING (100) NOT NULL, parent_id BIGINT NULL, PRIMARY KEY (id), FOREIGN KEY (parent_id) REFERENCES roles (id) ON DELETE RESTRICT ); CREATE INDEX roles_parent_index ON roles (parent_id); CREATE TABLE roles_users ( user_id BIGINT NOT NULL, role_id BIGINT NOT NULL, created_at TIMESTAMP NOT NULL, FOREIGN KEY (user_id) REFERENCES users (id) ON DELETE CASCADE, FOREIGN KEY (role_id) REFERENCES roles (id) ON DELETE CASCADE, UNIQUE (user_id, role_id) ); CREATE INDEX roles_users_all_index ON roles_users (user_id, role_id); CREATE TABLE groups ( id BIGSERIAL NOT NULL, created_at TIMESTAMP NOT NULL, updated_at TIMESTAMP NOT NULL, title CHARACTER VARYING NOT NULL, parent_id BIGINT NULL, PRIMARY KEY (id), FOREIGN KEY (parent_id) REFERENCES groups (id) ON DELETE RESTRICT ); CREATE INDEX groups_parent_index ON groups (parent_id); CREATE TABLE groups_users ( group_id BIGINT NOT NULL, user_id BIGINT NOT NULL, created_at TIMESTAMP NOT NULL, FOREIGN KEY (group_id) REFERENCES groups (id) ON DELETE CASCADE, FOREIGN KEY (user_id) REFERENCES users (id) ON DELETE CASCADE, UNIQUE (group_id, user_id) ); CREATE INDEX groups_users_all_index ON groups_users (group_id, user_id); CREATE TABLE groups_roles ( group_id BIGINT NOT NULL, role_id BIGINT NOT NULL, created_at TIMESTAMP NOT NULL, FOREIGN KEY (group_id) REFERENCES groups (id) ON DELETE CASCADE, FOREIGN KEY (role_id) REFERENCES roles (id) ON DELETE CASCADE, UNIQUE (group_id, role_id) ); CREATE INDEX groups_roles_all_index ON groups_roles (group_id, role_id); Possible Extensions The Standard [fk92] also proposes static and dynamic seperation of duty. While it is extremely unlikely that ActiveRBAC will ever implement dynamic seperation of duty, static seperation of duty could be implemented when the need arises for it. Links • [csrc-nist] http://csrc.nist.gov/rbac/ - RBAC at the NIST • [bc-auth] http://docs.binarycloud.com/en/auth/ - Binarycloud''s RBAC implementation • [fk92] http://csrc.nist.gov/rbac/ferraiolo-kuhn-92.pdf
> Access control to content items, db records, etc, is something that > many folks need, I''m sure. > > Roles alone aren''t good enough in many cases. We should definitely > build something to suit these needs as well as simple access to > actions.In rails, I think action (controller method) and resource (database record) protection is good enough - that alone can be VERY sophisticated, and I''m sure we''ll enter into serious discussion on the subject of workflow -> role integration with action and resource protection as we complete the unit tests for our first demo (which is in subversion and functional). We could definitely use contributors - however initially we will accept patches only and grant access to svn on the basis of "good patches". :) _alex
Toby Boudreaux
2005-Aug-04 21:06 UTC
Re: Role Based Access Control (RBAC) for ActiveRecord
This may be the case for your work, but many projects require strict per-record access control. For instance, in many systems all writers should not have the ability to modify other writers'' information. Rails provides nothing special in this regard. Given that we can''t currently switch database users and have to basically open the entire database up to the application, we need a way for folks to enforce per-record (per content item, for instance) ownership and accountability. Roles simply aren''t enough for the needs of everyone. I may be misinterpreting what you mean by "database record protection" though. If you''re suggesting adding something to the RBAC system to enforce this, we''re on the same page ;) On Aug 4, 2005, at 4:18 PM, alex black wrote:> In rails, I think action (controller method) and resource (database > record) protection is good enough_______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails
very interested in ActiveRBAC. and as I need this for a project at work my contributions could be subsidized by that project (don''t be concerned about IP) I''d estimate about 15 hours a week could be applied to ActiveRBAC, until development for the application reaches a point where ActiveRBAC is required -- and at that point time applied would increase. Annnyways... Let me know about the Trac site etc. -Caleb
> very interested in ActiveRBAC. > > and as I need this for a project at work my contributions could be > subsidized by that project (don''t be concerned about IP) > > I''d estimate about 15 hours a week could be applied to ActiveRBAC, > until development for the application reaches a point where ActiveRBAC > is required -- and at that point time applied would increase. > > > Annnyways... Let me know about the Trac site etc. > > -Caleb >doh -- that was not for the list.
If you wouldn''t mind, I''d like to have access to the TRAC site for the RBAC project. It looks like a very usefull project. May be able to contribute at some point. -- Best Regards, -Larry "Work, work, work...there is no satisfactory alternative." --- E.Taft Benson _______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails
In article <42F1C4B3.3010507-/aRvmaKoZxNWk0Htik3J/w@public.gmane.org>, jc.michel-/aRvmaKoZxNWk0Htik3J/w@public.gmane.org says...> ActiveRbac was started already by alex, manuel and some of us. > Probably first release soon.Will/could this be integrated with Bruce Perens''s work? -- Jay Levitt | Wellesley, MA | I feel calm. I feel ready. I can only Faster: jay at jay dot fm | conclude that''s because I don''t have a http://www.jay.fm | full grasp of the situation. - Mark Adler
> This may be the case for your work, but many projects require strict > per-record access control. For instance, in many systems all writers > should not have the ability to modify other writers'' information.Many of my projects require precisely that. Which is why I would like to try to integrate mr. perens'' ModelSeucirty into ActionRBAC.> Rails provides nothing special in this regard. Given that we can''t > currently switch database users and have to basically open the entire > database up to the application, we need a way for folks to enforce > per-record (per content item, for instance) ownership and > accountability. Roles simply aren''t enough for the needs of everyone.They are, you just need to design roles so they can include logic which makes decisions based on information available in the environment. (For example, checking that the author user FK matches the current User PK and allowing edits only if they match) (Or if the user has a role which allows them to edit anything - don''t do any check :))> I may be misinterpreting what you mean by "database record protection" > though. If you''re suggesting adding something to the RBAC system to > enforce this, we''re on the same page ;)We are on the same page :) I want an RBAC system which is simple for simple projects but has everything I would need for much larger, sophisticated projects that require groups and complex workflows which manage data ownership etc. _a -- alex black, founder the turing studio, inc. 510.666.0074 root-16h2cdTTKgpzNNFeSAH1EA@public.gmane.org http://www.turingstudio.com 2600 10th street, suite 635 berkeley, ca 94710
alex black
2005-Aug-05 18:47 UTC
Re: Re: Role Based Access Control (RBAC) for ActiveRecord
> Will/could this be integrated with Bruce Perens''s work?That is my intent - hopefully with his blessing, and maybe his help :) _alex -- alex black, founder the turing studio, inc. 510.666.0074 root-16h2cdTTKgpzNNFeSAH1EA@public.gmane.org http://www.turingstudio.com 2600 10th street, suite 635 berkeley, ca 94710