Access control is about controlling user flow within your application. Do not mistaken access control with security which is a bigger subject in itself. Access control begins by authenticating user and limit his or her activity in your application. An activity is something like creating, updating or deleting a content. There are always finite number of activities that can be done in a given application. Each user can be assigned to a set of activities that he or she is allowed to do. Access control is usually tied to session management. However, you do not need session management to have access control.
When a user log in, a session is created so that the user is remembered for the subsequent access. Otherwise the user has to keep on providing his or her credential for each access. We can also keep a list of activities that the user is allowed to do in the session record. Some applications let the session alive indefinitely and some applications time out user after a duration of inactivity. When the user log out, the session record is deleted.
Activity
An application is organized by activities such as view, create, edit, or delete users or contents. In the last sentence, a 'create content' is an activity. These activities are organized as menu. Depending on users, some will see all activities in the menu and some will see a small number of activities in the menu. It is the function of access control that enlist activities in the menu. Once an item in the menu is clicked the application will route user to the activity page. However, before the page is opened a checking is done to verify whether the user is allowed to open the page. If the user is not allowed to open the page then the user will be routed to an 'access denied' page.
Some applications have a finer grain activity control by listing only allowed items on the activity page. Such as, some users may see all buttons and links, and some users may see only a number of buttons and links. Apart from menu, buttons and links are also representing activities.
Role
Technically, user's role has nothing to do with access control. Some application organize users in groups instead of roles. We use role to group activities. As examples, a role as an administrator can do all activities and a role as an editor can only create, update and delete contents. Assigning a role to a user is easier then assigning activities. However, some applications require that only a specific user is allowed to do specific activity. Those applications will bypass role-activity assignment. On the other hand, a simpler application may want to organize users based on hierarchy, which fixes activities per role that the application ignores activity assignment all together. However, role is still related to activity.
User Record
User record is required for access control and so does your application. Designing a user record can be confusing because there are two concerns; 1. user for access control, 2. user for your application. Access control requires credential record such as log in user name, password and a flag that indicate a user is still active. Your application may need to keep more user information such as the real name, email address and phone number.
It is better to keep two separate user record. The main user record is to keep user credential for access control. The secondary user record is for your application usage. Make sure to link to the main user record identity (id) in your secondary user record. However, the main user record should be made independent to the secondary user record so that you can reuse your access control library.
Security
In access control, security is about preventing identity theft. We start with password hashing. We don't keep user password as is in the user record. We only keep password hash so that no one know the actual password including the administrator; well, except the owner of the password.
We limit the information that we keep in cookies. Or, it will be better if we can bypass the cookies altogether. Hackers may use information in the cookies to steal identity.
We validate every user input including the log in information so that only clean data is passed over our application. Non-validated user input must not reach our application's SQL string to prevent SQL injection attack.
We must make sure that when user log out the session data is deleted. Auto log out after a duration of inactivity can also be applied.
Activity logging is another feature to support security. Data in the log can be used to trace malicious activities and to help prevent future occurrence.
When a user log in, a session is created so that the user is remembered for the subsequent access. Otherwise the user has to keep on providing his or her credential for each access. We can also keep a list of activities that the user is allowed to do in the session record. Some applications let the session alive indefinitely and some applications time out user after a duration of inactivity. When the user log out, the session record is deleted.
Activity
An application is organized by activities such as view, create, edit, or delete users or contents. In the last sentence, a 'create content' is an activity. These activities are organized as menu. Depending on users, some will see all activities in the menu and some will see a small number of activities in the menu. It is the function of access control that enlist activities in the menu. Once an item in the menu is clicked the application will route user to the activity page. However, before the page is opened a checking is done to verify whether the user is allowed to open the page. If the user is not allowed to open the page then the user will be routed to an 'access denied' page.
Some applications have a finer grain activity control by listing only allowed items on the activity page. Such as, some users may see all buttons and links, and some users may see only a number of buttons and links. Apart from menu, buttons and links are also representing activities.
Role
Technically, user's role has nothing to do with access control. Some application organize users in groups instead of roles. We use role to group activities. As examples, a role as an administrator can do all activities and a role as an editor can only create, update and delete contents. Assigning a role to a user is easier then assigning activities. However, some applications require that only a specific user is allowed to do specific activity. Those applications will bypass role-activity assignment. On the other hand, a simpler application may want to organize users based on hierarchy, which fixes activities per role that the application ignores activity assignment all together. However, role is still related to activity.
User Record
User record is required for access control and so does your application. Designing a user record can be confusing because there are two concerns; 1. user for access control, 2. user for your application. Access control requires credential record such as log in user name, password and a flag that indicate a user is still active. Your application may need to keep more user information such as the real name, email address and phone number.
It is better to keep two separate user record. The main user record is to keep user credential for access control. The secondary user record is for your application usage. Make sure to link to the main user record identity (id) in your secondary user record. However, the main user record should be made independent to the secondary user record so that you can reuse your access control library.
Security
In access control, security is about preventing identity theft. We start with password hashing. We don't keep user password as is in the user record. We only keep password hash so that no one know the actual password including the administrator; well, except the owner of the password.
We limit the information that we keep in cookies. Or, it will be better if we can bypass the cookies altogether. Hackers may use information in the cookies to steal identity.
We validate every user input including the log in information so that only clean data is passed over our application. Non-validated user input must not reach our application's SQL string to prevent SQL injection attack.
We must make sure that when user log out the session data is deleted. Auto log out after a duration of inactivity can also be applied.
Activity logging is another feature to support security. Data in the log can be used to trace malicious activities and to help prevent future occurrence.
Comments
Post a Comment