D4no0

D4no0

Are there RBAC libraries capable of getting partial data from database based on policies?

I had the possibility of working at a project where we required fully configurable RBAC system capable of showing partial data for a user based on his context. I implemented at that time from scratch, guided by a white paper, I was wondering if something like that exists in elixir ecosystem currently?

As an example let’s say we have an organization entity, now each user assigned to a specific organization can see only the local data to that organization (related to how all users you create can see buckets created by you and not system wide in S3).

Now in terms of policies, there are 2 kinds (the names might be different in literature):

  1. General access policies (an example would be the possibility to add new data, policies like these are always used in frontend to either show/hide some part of functionality)
  2. Granular policies (an example of such policy is how you allow an user to have access only to one or more specific buckets in s3)

The requirements of the system we needed were the following (as to make it clear what kind of system is in place):

  1. Policies should be configurable at runtime from frontend; (just like you can configure AWS policies)
  2. Partial data access is not applicable to only one table. (ideally it should work correctly when the data is aggregated too)

Since finding a library for such a topic is harder than it seems, I was wondering if any of you have done something similar and know any libraries that can achieve this in elixir?

If not I was thinking about polishing the concept and releasing a library for painless dealing with this problem, as I find that I always arrive at the conclusion that 1 of 3 projects I do start as simple RBAC concepts and in the end with a custom implementation of this concept at database level.

Most Liked

sbuttgereit

sbuttgereit

My current project has RBAC needs and when I looked for libraries a year ago or so I didn’t really find anything that fit the bill. Certainly not with the nuance I needed so I ended up just building something for the project.

I think one difference between what I’ve built and your requirements is that I think you’re looking for something which operates at a lower level of enforcement than my system aims to do; almost like a way to do application enforced row-based security instead of using the database roles for that purpose; I get this impression from your discussion of aggregates. In my system, for example, I might not have permission to view, say, product shipment details aside from my “own” orders, but I could well have permission to view aggregate shipment data which is derived from all shipping detail records. I take this to mean that what I’ve built is more disconnected from what it might be defining permissions for than what you’re thinking.

The link below describes what I ended up putting together:

https://github.com/MuseSystems/musebms/blob/next_version/app_server/components/system/mscmp_syst_perms/README.md

Apologies for any bad writing in advance… wrote this pretty quickly primarily for future me.

I do think a library could be cool for more advanced RBAC needs either way.

mayel

mayel

We’ve an opinionated implementation at GitHub - bonfire-networks/bonfire_boundaries: Circles, ACLs, etc · GitHub and while it’d be quite easy to extract into a more generic/reusable library, it would still require buying into Pointers (see https://doc.bonfirenetworks.org/database.html for a more verbose explanation). Is that something you’d be interested in?

linusdm

linusdm

Btw, @PJUllrich did blog about introducing a role based security system into phoenix applications.

https://www.peterullrich.com/build-a-rap-for-phoenix-part-1

Where Next?

Popular in Discussions Top

sashaafm
I’m trying to evaluate the best combo/stack for a BEAM Web app. Right now I’m exploring Yaws a bit, after having dealt with Phoenix for a...
New
arcanemachine
https://nitter.net/josevalim/status/1744395345872683471 https://twitter.com/josevalim/status/1744395345872683471
New
lucaong
Hello Elixir and Nerves community, I have been working for a while on an open-source embedded key-value database for Elixir, that I call...
230 13924 124
New
New
IVR
Hi all, I’ve seen a number of related threads in the past, but I’d still be very curious to hear an up-to-date opinion on this topic. I...
New
sashaafm
Piggy backing a bit on @dvcrn topic BEAM optimization for functions with static return type?, I’ve been trying to understand in a deeper ...
New
New
AstonJ
I’ve just started the Phoenix part of the utterly brilliant online course by @pragdave. On generating the Phoenix app he uses the --no-ec...
New
cblavier
Hey there, It’s been more than a year since we started using LiveView as our main UI library and building a whole library of UI componen...
New
scouten
I’m looking for a host for the server part of a small (personal) side project that I’m working on. It’s currently written in Node.js and ...
New

Other popular topics Top

sorentwo
Hello! tl;dr Announcing Oban, an Ecto based job processing library with a focus on reliability and historical observability. After spen...
985 42920 311
New
Harrisonl
We have an ECS cluster with 4 services, where each task joins a single cluster, via discovery ECS discovery service. Currently when I de...
New
Darmani72
If I have a post route which an argument: post /my_post_route/:my_param1, MyController.my_post_handler How would get the post params ...
New
danschultzer
None of the current solutions worked well for me, so I went ahead and built a user management system from scratch. This project took far...
548 29377 241
New
jerry
Good day to you all. I have been struggling to get a query involving like and ilike to work. Can anyone assist me on this, please? pro...
New
nobody
Hi! In PHP: $_SERVER[‘SERVER_ADDR’] - in Elixir? Searched the docs for ip address and the web, no good results. Thanks!
New
shijith.k
I am trying to start a new phoenix project with elixir 1.9, but mix phx.new does not work. It says that ** (Mix) The task "phx.new" could...
New
joaquinalcerro
Hi there, I am working with Ecto-Postgresql and I need to call all of the records from a specific table but the table has 40,000 records...
New
Brian
What is the proper way to load a module from a file in to IEX? In the python world, doing something like this pretty standard: from ....
New
WestKeys
Currently suffering from paralysis by [HTTP client] analysis. This is rather unusual in Elixirland as there tends to be consensus on the ...
New

We're in Beta

About us Mission Statement