What a user is allowed to do in software is usually decided on the basis of a role model. With the Open Policy Agent you can control who can do what more flexibly.

(Image: Albert Hulm)

Every application that is to be accessed by more than one user must repeatedly answer the following all-important question: Is this user really allowed to perform the desired action ? In enterprise applications, a lot depends on getting this question right. Who is allowed to do what is usually not decided by the software developer himself – rather, he is given the rules that apply in the company in full sentences and has the task of translating them for the application. Such rules can look something like this:

Employees from the purchasing department are allowed to take orders to 1000 release euro. The deputy head may up to 10. 000 Release Euro. The head of the purchasing department may approve everything. In order to approach the problem, one usually resorts to a model that simplifies such authorizations. Many developers choose a role-based access control (RBAC) model. In such a system there are users, groups and roles. A user can be a member of several groups. Roles can be assigned to users and groups – the application then decides in each case whether the role is available that is necessary to perform an action. In the best case, the authorization check can even be outsourced to a separate RBAC component so that the code of the application and the rules of the company do not mix.

You would need three for the three rules formulated above Roles, for example purchase_employee , purchase_deputy and purchase_head . The limits of RBAC are reached at the latest when the decision-makers have come up with another rule and put it on the table for the developer:

Access to all contents of heise + exclusive tests, advice & backgrounds: independent, critically sound c’t, iX, Technology Review, Mac & i, Make, c’t read photography directly in the browser register once – read on all devices – can be canceled monthly first month free, then monthly 9, 95 € Weekly newsletter with personal reading recommendations from the editor-in-chief Start FREE month Start your FREE month now heise + already subscribed?

Sign in and read Register now and read the article immediately More information about heise +