steffenbartsch

Moved.

Steffen Bartsch — Sun, 24 Aug 2008 16:13:59 +0000

This blog moved to steffenbartsch.com/blog.

Rails Authorization Plugins

Steffen Bartsch — Thu, 14 Aug 2008 11:28:51 +0000

There seems to be a consensus to choose restful_authentication as the Rails way of securing the identity of users, at least with local user databases (in contrast to e.g. OpenID authentication). For authorization, i.e. restricting the access rights of users, the situation is different: there are lots of alternatives. This is probably due to the varying requirements that projects have in the case of authorization. While there are lists and surveys of Rails authorization plugins, I was missing an overview that could help in the decision making process of choosing the right plugin for specific requirements.

Here, I tried to examine each plugin according to a few categories.

Access control may be enforced on different layers, in the model, for controller actions and in views.
Most plugins have some user and role concept for restricting access. Authorization constraints allow more fine-grained decisions, though, by defining conditions that need to be met, probably on a context object, in order to grant access.
It is common to define access rules through Access Control Lists (ACL) whereby an object has a list of users or roles that are allowed to operate on the object. ACLs may increase authorization maintenance as new users or roles need to be added at multiple places. In contrast, Privileges, as known from RBAC, are a further abstraction. Thus, users or roles may possess privileges, which are, on the other hand, assigned as a requirement to operations on the objects.

A table of the evaluated authorization plugins, roughly sorted by activity:

Restrictions for	Model	Controller action	View	Authorization constraints	Privileges	Last activity
Authorization	Yes	Yes	No	Yes	No	recently
Restrictions based on pseudo natural language sentences; decisions based on role ACLs on models or model instances
base_auth	Yes	Yes	Yes	Yes	No	recently
User object-based restrictions on controller actions and views
acts_as_checkpoint	Yes	Yes	No	Yes	No	recently
Role-based restrictions on controller actions; simple model restrictions through methods on models, employing associations
rolerequirement	No	Yes	No	No	No	recently
Role-based ACLs for restrictions on controller actions
RESTful_ACL	Yes	Yes	Yes	Yes	No	recently
Restrictions based on permission methods on models for CRUD operations; no role concept built in; seems to be restricted to CRUD controller actions
acl_system2	No	Yes	Yes	No	No	2007
Role-based ACLs for restrictions on controller actions and in views; similar: Simple Access Control
ActiveRbac	No	Yes	No	No	Yes	2007
Implements only the queries on model instances for access rights
access_control	No	Yes	No	No	No	2007
Simple controller action restrictions based on Unix-style rwx ACLs
UserEngine	No	Yes	No	No	Yes	2006
Controller/action-based privileges assigned to roles for filtering access to controller actions
ActiveAcl	Yes	No	No	Yes	Yes	2006
Complex database design to allow arbitrary user – role – privilege – object relations

Let me know if I missed important aspects of those plugins or other plugins that you like.

Authorization in Small and Medium Enterprises

Steffen Bartsch — Mon, 30 Jun 2008 16:05:56 +0000

Modeling authorization for workflows in Small and Medium Enterprises (SME) differs from the approach taken in large corporations. The latter employ heavy workflow management systems that are deployed by help of immense consulting resources. By contrast, typical SME need to implement fairly straight-forward workflows while preserving a good deal of flexibility that they are used to from the established informal workflows such as passing around spreadsheets.

From our experience in working with an SME to implement their workflows in a web application, modeling the authorization is a crucial factor. While information security is welcomed by the management, measures need to interfere as little as possible with the daily work. Also, domain experts tend to describe ideal workflows, which is sometimes called Process Confabulation. Frequent exceptions may be unknown to developers until late in the development cycle, despite user tests.

Therefore, we propose a new approach to access control, allowing users to decide when to extend their previously defined privileges in a controled manner. Thus, the effect of inacurate definition of process and authorization models is mitigated. This concept of “self-service” is described in detail in the German paper that I wrote together with Carsten Bormann, “Berechtigungsmodellierung im Geschäftsprozessmanagement von KMU” and presented at the DACH Security conference in Berlin.

Network Service Map

Steffen Bartsch — Mon, 30 Oct 2006 15:47:39 +0000

…so der Arbeitstitel für meine Diplomarbeit. Es geht um das Verteilen von Informationen über vorhandene Internetzugänge für mobile Nutzer. Da tut sich ja gerade eine Menge, und WLAN-Hotspots werden demnächst um weitere Zugangstechniken ergänzt. Wir stellen uns die Zugangsdienste auf einer Karte dargestellt vor, eben als Service Map.

Nachdem ich gut ein halbes Jahr mal mehr mal weniger Intensiv (nebenbei lief noch unser studentisches Projekt) am Thema gebastelt habe, gab es Freitag die (in der AG) obligatorische Vorstellung im Kolloqium der AG Rechnernetze. Natürlich hatte ich viel zu viel auf meinen Folien, als dass es in Ruhe in die 20 Minuten gepasst hätte. Zum Thema Business Case gab es trotzdem sehr interessantes Feedback, hier fehlten einfach noch ein paar wichtige potentielle Mitspieler am Markt.