Give unique User rights for unique "resource" about accesscontrol HOT 8 OPEN

Also interested in this.

from accesscontrol.

@dominikstohl If I understood correctly, you need a policy/attribute based access control framework. accesscontrol works purely with roles(RBAC)

from accesscontrol.

@iNDicat0r accesscontrol is not purely RBAC, as it states in the docs.

from accesscontrol.

@sarneeh I agree, but in accesscontrol permissions are assigned relative to the role, something which isn't a requirement in ABAC systems.

from accesscontrol.

@iNDicat0r ABAC is not too familiar to me so I didn't know the difference. Btw - are you aware of some ABAC example implementations? I was looking for something like that but can't find anything in the Node.js world.

from accesscontrol.

@sarneeh https://github.com/ory/ladon is written in Go and is inspired by AWS IAM. You can write a standalone authorization server on top of it and use your nodejs app to communicate and ask for authorization.

from accesscontrol.

This library doesn't implement ABAC. It gives simplified version of managing roles. Can you define attribute check in the library? You can't. See #8 and #12.

ABAC means that you need to validate attributes properly that have or not have certain values. Here's for example a library, that supports proper ABAC approach - https://github.com/YLuchaninov/PolicyLine#differences-from-other-libraries. Wiki page for reference.

from accesscontrol.

In my app, i have defined that user are like role that are prefix by "u-" in there name. So you can have a user u-admin that inherite from the role admin. It's not perfect but it works fine. Update library to handle role and user would be great.
For access on a specific resource, you need to give own grant on a resource and store on your database which resources of this type the user have access.
In my case i use a table with field resource_type and resource_pkey. So i can search for all resources of type foo that the user have access.

By doing this, you are clearly out of the scope of this library in it's actual version and it involve some development of your part but i haven't find better solution, except to used a big authorization solution like Keycloak.

from accesscontrol.