D4no0
Are there RBAC libraries capable of getting partial data from database based on policies?
I had the possibility of working at a project where we required fully configurable RBAC system capable of showing partial data for a user based on his context. I implemented at that time from scratch, guided by a white paper, I was wondering if something like that exists in elixir ecosystem currently?
As an example let’s say we have an organization entity, now each user assigned to a specific organization can see only the local data to that organization (related to how all users you create can see buckets created by you and not system wide in S3).
Now in terms of policies, there are 2 kinds (the names might be different in literature):
- General access policies (an example would be the possibility to add new data, policies like these are always used in frontend to either show/hide some part of functionality)
- Granular policies (an example of such policy is how you allow an user to have access only to one or more specific buckets in s3)
The requirements of the system we needed were the following (as to make it clear what kind of system is in place):
- Policies should be configurable at runtime from frontend; (just like you can configure AWS policies)
- Partial data access is not applicable to only one table. (ideally it should work correctly when the data is aggregated too)
Since finding a library for such a topic is harder than it seems, I was wondering if any of you have done something similar and know any libraries that can achieve this in elixir?
If not I was thinking about polishing the concept and releasing a library for painless dealing with this problem, as I find that I always arrive at the conclusion that 1 of 3 projects I do start as simple RBAC concepts and in the end with a custom implementation of this concept at database level.
Most Liked
sbuttgereit
My current project has RBAC needs and when I looked for libraries a year ago or so I didn’t really find anything that fit the bill. Certainly not with the nuance I needed so I ended up just building something for the project.
I think one difference between what I’ve built and your requirements is that I think you’re looking for something which operates at a lower level of enforcement than my system aims to do; almost like a way to do application enforced row-based security instead of using the database roles for that purpose; I get this impression from your discussion of aggregates. In my system, for example, I might not have permission to view, say, product shipment details aside from my “own” orders, but I could well have permission to view aggregate shipment data which is derived from all shipping detail records. I take this to mean that what I’ve built is more disconnected from what it might be defining permissions for than what you’re thinking.
The link below describes what I ended up putting together:
Apologies for any bad writing in advance… wrote this pretty quickly primarily for future me.
I do think a library could be cool for more advanced RBAC needs either way.
mayel
We’ve an opinionated implementation at GitHub - bonfire-networks/bonfire_boundaries: Circles, ACLs, etc · GitHub and while it’d be quite easy to extract into a more generic/reusable library, it would still require buying into Pointers (see https://doc.bonfirenetworks.org/database.html for a more verbose explanation). Is that something you’d be interested in?
linusdm
Btw, @PJUllrich did blog about introducing a role based security system into phoenix applications.








