Attribute-based Access Control (ABAC) and a DDD application

Hello!

I’m trying to figure out how to implement a complicated authorization scheme and allow to change the rules at run-time (without altering code base). Currently I evaluating this for a DDD (CQRS\ES) application I’am planning but it is more general question I think.

So let’s imagine we have the next set of authorization rules in the specs:

Pic with a table

acl-1945×468 14.3 KB

It is possible to hard-code this rules but obviously I think it’s a dirty practice to put authorization code into the core domain for the one hand, and it will be non-trivial to support and extend this rules, especially when new domains, entities and\or attributes come to the scene.

So I think about ABAC with some kind of XACML implementation. In this case it would be possible to make policies like:

Policy name: List awaiting documents orders
Effect: Allow
Union: All
Rule 1: CommandOrQuery == ListOrders
Rule 2: Subject.Role == “Branch operator”
Rule 3: Object.Creator.Branch == Subject.Branch
Rule 4: Object.Status == “Documents required”

In case of commands Object-related rules become conditions, I believe.

Then it will be necessary to send the whole object and subject (user in our case) to the Application level authorization service like:

defmodule MyApp.Orders.Queries.ListOrders do
  alias MyApp.Orders.Projections.{User, Order}

  def execute(params, %User{} = user) do
    case MyApp.SecurityDomain.can?(__MODULE__, Order, user) do
      :not_authorized -> {:error, :not_authorized}
      conditions -> params
                    |> Map.merge(conditions)
                    |> buildQuery()
                    |> runQuery()
    end
  end

end

defmodule MyApp.SecurityDomain do
  def can?(MyApp.Orders.Queries.ListOrders, object, subject) do
    ...
  end
end

Sure, there will be a lot of difficulties beginning from query builder, especially with rules\conditions like in my example (Order aggregation and projection must have a Creator structure (even sub-aggregate probably) with Branch field) and so on, Order domain must follow User events and update appropriate local user aggregates etc etc.

But this will be let the security officers to create very flexible rules right at the run-time without developers intervention and downtime.

Of course I may over-complicate things and the same can be done much more easily. If so please let me know where can I read best practice and realization (especially in Elixir). Haven’t seen any examples of the more or less complete authorization system, all applications\articles I found have very simple auth part.

What do you think?

I think you’re on the right track. A couple of suggestions:

• If you’re using Commanded as your CQRS framework, which is the most commonly used in Elixir, you can use a middleware around command dispatch for authorization, which would be a good place to put your check.
• There are a few libraries for authorization already on the scene; it might be worth looking at them.
• If you’re going to roll your own (which is perfectly acceptable in my mind) you might look at using a protocol and providing implementations in different contexts that have different business rules around when a command can be dispatched.

Hey @heathen, it’s funny as I went to same scenario as you (actually not that funny as it is common use case in real world app). I was struggling with hard coded rules as you but recently I created the library

I think it can cover many cases (if not all) in your described chart. Could you give a look to it? Thanks! I would love to see problems and cover any possible scenario needed and your complex table looks as good start

A couple of messages around this subject appeared in different threads on this forum. The XACML standard https://en.wikipedia.org/wiki/XACML was named. As I built a (start of) a rules engine in the past, as part of a BPMS (start of also, haha), I wonder if it would be interesting to use the broader DMN standard for this, for which open source modelers, interpreters (execution engines I mean) and validators are available. At least from Camunda. Here some thoughts / questions about the position of XACML, modelers and execution engines (search for keyword XACML), note: the book is almost 10 yrs old: https://books.google.nl/books?id=8kJSr9JEaGsC&pg=PT256&lpg=PT256&dq="rules+engine"+xacml&source=bl&ots=yajaur0O6z&sig=5F6uKamom-m2Ae36sjUNMhrI91M&hl=en&sa=X&ved=2ahUKEwjR1_zfttjfAhXS66QKHfpcBjkQ6AEwCnoECAIQAQ#v=onepage&q="rules%20engine"%20xacml&f=false