Latest posts.

Declarative Authorization

Having looked through quite a few existing Rails authorization plugins, we decided, we were in need of a different approach.  Mainly, it was the missing separation of authorization logic from business logic in the evaluated plugins that caused us to implement a new plugin, declarative_authorization.

In our declarative approach, authorization rules are grouped in a policy file, while only privileges are used inside program code to enforce restrictions. We developed for flexibility and simplicity, requiring only very simple statements in rules and program code. So instead of

class ConferenceController < ApplicationController
  access_control :DEFAULT => [:admin],
    [:index, :show]  => [...],
    [:edit, :update] => [:admin, :conference_organizer]

cond = permit?([:admin, :conference_organizer]) ?
           {} : {:published => true}
Conference.find(:all, :conditions => cond)

<% restrict_to [:admin, :conference_organizer] do %>
  <%= link_to 'Edit', edit_conference_path(conference) %>
<% end %>

with all the authorization logic interweaved with your code, you only need this

class ConferencesController < ApplicationController
  filter_access_to :all

  def index
    @conferences = Conference.with_permissions_to(:read)

<%= link_to 'Edit', edit_conference_path(conference)
            if permitted_to? :edit, conference %>

And, separated in one place the authorization rules:

role :guest do
  has_permission_on :conferences, :to => :read

role :conference_organizer do
  has_permission_on :conferences, :to => :manage

So, the same rules are used in enforcing authorization in Model, View and Controller. Also, they are used for Query Rewriting to automatically constrain the retrieved records according to the authorization rules.  Thus, you just modify the rules on authorization requirement changes and you can also use the rules to talk to business owners of Agile projects.

For additional information and more examples, refer to the README and the rdoc documentation. Currently, we are using the plugin for an application with fairly complex authorization and it will be taking into production in the next iteration. So, look into it if you have authorization concerns in your application, it’s released under MIT license.

Rails Authorization Plugins

Updated 2009-05-23

There seems to be a consensus to choose AuthLogic or restful_authentication as the Rails way of securely identifying the users, at least with local user databases (in contrast to e.g. OpenID authentication). For restricting the access rights of the individual users, i.e. authorization, the situation is different with lots of alternatives. This is probably due to the varying requirements that projects have in the case of authorization. While there are lists and surveys of Rails authorization plugins, I was missing an overview that could help in the decision making process of choosing the right plugin for my specific requirements.

I tried to examine each plugin according to a few aspects.

  • Access control may be enforced on different layers, in the model, for controller actions and in views.
  • Most plugins have some user and role concept for restricting access. Authorization constraints allow more fine-grained decisions, though, by defining conditions that need to be met, probably on a context object, in order to grant access.
  • It is common to define access rules through Access Control Lists (ACL) whereby an object has a list of users or roles that are allowed to operate on the object. ACLs may increase authorization maintenance as new users or roles need to be added at multiple places. In contrast, Privileges, as known from RBAC, are a further abstraction. Thus, users or roles may possess privileges, which are, on the other hand, assigned as a requirement to operations on the objects.
  • Simplicity helps so that it is a common rule to use the least complex solution possible for a given task. While it is difficult to evaluate complexity without working in-depth with an authorization plugin, I still tried to give a rough estimate of each plugins complexity from an application developer’s point of view.

My conclusion (disclaimer: I’m the author of declarative_authorization): depending on the size of your project, you face roughly three options:

  • Go for a simple solution which most likely won’t cover all the edge cases, like role_requirement.
  • Follow a simple recipe and roll your own authorization mechanism. This way, you won’t depend on any maintainer to keep the plugin up-to-date. Also, it will be easier to modify it to your requirements.
  • If you see more complex scenarios on the horizon, say more than three roles, maybe even role hierarchies, you should seriously look into the more complex, but also more maintainable options, such as declarative_authorization.  Having all your authorization rules in one place helps greatly when the rules need to be modified.

A table of the evaluated authorization plugins, roughly sorted by activity:

Restrictions for M C V Constraints Privileges Complexity Activity
Authorization Yes Yes No Yes No medium recently
Restrictions based on pseudo natural language sentences; decisions based on role ACLs on models or model instances
declarative_authorization Yes Yes Yes Yes Yes medium recently
Declarative approach: separation of authorization logic from program code for maintainability
acl9 No Yes Yes Yes No medium recently
Access control list with simple role model allowing to bind roles to specific objects. Constraints through custom has_role methods on models.
RESTful_ACL Yes Yes Yes Yes No simple recently
Restrictions based on permission methods on models for CRUD operations; no role concept built in; seems to be restricted to CRUD controller actions
Padlock Authorization Yes Yes No Yes No medium recently
Allows for objects to have roles according to specific users.
redpill_access_control No Yes Yes No No medium recently
Uses access restrictions to controller actions for restrictions in views.
Authorize No Yes Yes No No high recently
Has a subject/trustee concept for specifying relationships regarding authorization.
role_requirement No Yes No No No simple recently
Role-based ACLs for restrictions on controller actions
ActsAsAuthorizable Yes No No Yes No medium 2008
Restrictions based on pseudo natural language sentences; decisions based on role ACLs on models or model instances
base_auth Yes Yes Yes Yes No simple 2008
User object-based restrictions on controller actions and views
Role-ful Yes No No Yes Yes medium 2008
Defines roles in the user object that can be queried through instance methods.
Easy Access Yes No No Yes Yes simple 2008
Helps defining can_be_[action]_by on the model.
Blubber No Yes No No No simple 2008
Used by defining [role]_acl methods on the controller.
acts_as_checkpoint Yes Yes No Yes No simple 2008
Role-based restrictions on controller actions; simple model restrictions through methods on models, employing associations
ActsAsPermissible Yes No No No No medium 2008
Provides the basic necessity of authorization: the model methods for assigning permissions and roles to users and retrieving the merged permissions.
acl_system2 No Yes Yes No No simple 2007
Role-based ACLs for restrictions on controller actions and in views; similar: Simple Access Control
ActiveRbac No Yes No No Yes medium 2007
Implements only the queries on model instances for access rights
access_control No Yes No No No simple 2007
Simple controller action restrictions based on Unix-style rwx ACLs
UserEngine No Yes No No Yes medium 2006
Controller/action-based privileges assigned to roles for filtering access to controller actions
ActiveAcl Yes No No Yes Yes high 2006
Complex database design to allow arbitrary user – role – privilege – object relations

Let me know if I missed important aspects of those plugins or other plugins that you like.

Authorization in Small and Medium Enterprises

Modeling authorization for workflows in Small and Medium Enterprises (SME) differs from the approach taken in large corporations. The latter employ heavy workflow management systems that are deployed by help of immense consulting resources. By contrast, typical SME need to implement fairly straight-forward workflows while preserving a good deal of flexibility that they are used to from the established informal workflows such as passing around spreadsheets.

From our experience in working with an SME to implement their workflows in a web application, modeling the authorization is a crucial factor. While information security is welcomed by the management, measures need to interfere as little as possible with the daily work. Also, domain experts tend to describe ideal workflows, which is sometimes called Process Confabulation. Frequent exceptions may be unknown to developers until late in the development cycle, despite user tests.

Therefore, we propose a new approach to access control, allowing users to decide when to extend their previously defined privileges in a controled manner. Thus, the effect of inacurate definition of process and authorization models is mitigated. This concept of “self-service” is described in detail in the German paper that I wrote together with Carsten Bormann, “Berechtigungsmodellierung im Geschäftsprozessmanagement von KMU” and presented at the DACH Security conference in Berlin.

Network Service Map

…so der Arbeitstitel für meine Diplomarbeit. Es geht um das Verteilen von Informationen über vorhandene Internetzugänge für mobile Nutzer. Da tut sich ja gerade eine Menge, und WLAN-Hotspots werden demnächst um weitere Zugangstechniken ergänzt. Wir stellen uns die Zugangsdienste auf einer Karte dargestellt vor, eben als Service Map.

Nachdem ich gut ein halbes Jahr mal mehr mal weniger Intensiv (nebenbei lief noch unser studentisches Projekt) am Thema gebastelt habe, gab es Freitag die (in der AG) obligatorische Vorstellung im Kolloqium der AG Rechnernetze. Natürlich hatte ich viel zu viel auf meinen Folien, als dass es in Ruhe in die 20 Minuten gepasst hätte. Zum Thema Business Case gab es trotzdem sehr interessantes Feedback, hier fehlten einfach noch ein paar wichtige potentielle Mitspieler am Markt.