Introduction
Policies are a fine grained model of applying security restrictions on the various entities in the business application.
Can I achieve fine grained access only with Policies?
The answer is NO. There are ways where we can model the same with the entity level permissions like feature. So what is so special about policies. Policies are typically a agreed upon JSON format that can be used to be built by the user and tie up with any entity or specific record in the entity.
Since this is a JSON, it is easy to define and contain wildcards, regex matches etc which kind of becomes difficult to manage in other formats.
Design
The below diagram illustrates how the policies can be created and enforced in an application.
Enforcement of the policies are done as part of the entity service, which passes on the request for access to a policy manager. The policy manager talks to the database / policy store to get the policies applicable for the entity.
Once the policies are obtained, the policy manager tries to match the policies with the incoming request data and finds suitable matches
Once the policies are filtered, they are extracted and processed against the data. This is the evaluation process where in the policy enforcement gets evaluated against the entities.
The successful policy execution results in a grant to access the data, and on the denied case, an access denied message should be reported to the end user
Sample Policy
Below given is a sample AWS s3 object access policy which is created with operations / actions that are allowed. There can be operations / actions that can be disallowed or denied in a similar policy.
{ "Id": "Policy1651233244327", "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1651233242247", "Action": [ "s3:GetBucketNotification", "s3:GetBucketVersioning", "s3:GetObject", "s3:GetObjectAttributes", "s3:GetObjectTorrent", "s3:GetObjectVersion", "s3:GetObjectVersionAttributes" ], "Effect": "Allow", "Resource": "arn:aws:s3:::mybucket:artifacts", "Principal": { "AWS": [ "saravanan" ] } } ] }
Comments
Post a Comment