Security Architecture - Settings to drive UI and P

2019-06-09 10:41发布

问题:

How do large companies implement their security requirements which are centralized and used to drive things people can do (allowed to call a certain web-service, submit an order, etc.) as well as to drive UI (disable buttons, menu options, individual form fields)?

I am considering RBAC architecture: Users -> Roles, Roles -> Privileges.

Complex applications with permissions based on many individual field-account-user-role-amountThreshhold would have many, many "Roles" and managing this gets complicated as number of roles grows.

Managing all these possible options seems daunting, and my prior experience is to hard-code such logic in the application.

Ex: If (User.Roles("IsAccounting")) { btnEditOrder.enabled = false; }

I am tasked with designing / implementing a security service/architecture which will be used as common authentication/authorization point for any/all applications (all .NET, but some GUI and some process-oriented).

This is not possible out of the box because of the business organization around client accounts and permission tiers based on financial amounts.

Ex: John is a User and he can View and Submit requests for account "Microsoft" and "Google". Mike can View "Microsoft" and "Google" requests but can only Submit "Google" requests.

Number of accounts / users is large and variable.

If I follow RBAC, there will be hundreds of "Roles" to accommodate all required Rights (Privileges). This doesn't help because the end goal is to give easy to manage GUI tool so that managers can assign their direct reports to appropriate Roles.

I was thinking to implement this security piece with the following API (rough draft in pseudo-code):

UserContext securityContext = Security.GetContext(userID, userPwd);

And usage in application would be like this: if (securityContext.RequestManager.CanSubmitRequest("Google")) {...}

This way there would be thousands of these 'Can(params)' methods to check permissions which doesn't make it easy to either manage or use this pattern.

Any links / ideas / pointers are appreciated.

It's a .NET shop, but nothing I've seen from .NET (Membership / AzMan) will give us the granularity and delegation requirements required. ActiveDirectory / Oracle LDAP integration would be nice, but not necessary.

Old (current) system uses LDAP to authenticate users, but all authorization is done in-house and stored in classic "Users, Roles, Rights" tables.

回答1:

We were having almost same requirement, where we had multiple apps inside big organization, and we had to

  • Secure multiple applications for authentication and authorizations and manage all these applications from same central location, no matter these applications are .net or non .net, GUI based or process oriented,

  • running applications might be internet based or intranet based

  • Applications should support AD users or federated users for authentication and authroziation

  • Apply lots of 'role based' or 'permission based' security or customizations.

ex. Enable/Disable features -like Enable buttons, Disable buttons, Hide some menus, Change background color of controls, or change any .net supported properties of .net components etc.

  • Secure webservice or wcf service for authentication and authorization

  • apply role based security for multi-tenant applications via groups and users management

  • Manage organization's users for multiple applications from central location

  • Tracing user's actions or auditing.