Access Control Models

To govern access to services our platform supports two types of access control models: RBAC (Role-based Access Control) and ABAC (Attribute-based Access Control) through Open Policy Agent using REGO language.

Understanding RBAC

RBAC is an access control model that restricts access to resources based on predefined roles. Each role is associated with a distinct name and has a predefined set of permissions and policies.

Hierarchical Role Assignment

Our service allows roles to be assigned to users, companies, and groups, creating a hierarchical structure for role assignments.

Practical Approach

Our recommendation is to establish and assign roles to groups instead of individual users. By utilizing groups, it facilitates the easy addition or removal of users and ensures consistent permissions for all group members.

How do we recommend using roles within your services?

By reading the role from introspection of the access token

allow if {

user_is_manager

}


user_is_owner if data.user_attributes\[input.user\].title == "manager"

By Using Policy Decision Point (Recommended)

if (response.allow) {

   // Allow access to the resource

} else {

  res.status(403).send('Unauthorized');

}

ABAC

ABAC is an access control model that restricts access to resources based on attributes. These attributes may include permissions, policies, departments, locations, IP addresses, and time conditions. These attributes can be assigned to users, groups, applications, or other entities.

if (

   attributes.includes("role:manager") &&

   attributes.includes("permission:read:document") &&

   attributes.includes("department:marketing") &&

   attributes.includes("location:office") &&

   attributes.includes("origin: 192.168.0.1") &&

) {

   // Allow access to the resource

} else {

   // Deny access

}