Software Security, User Management, the basic stuff…

Patroclos Lemoniatis
4 min readAug 14, 2023

Managing user access can most times become a headache if the current security setup is failing to accommodate the access requirements of an enterprise application system.

But what is User Management and why it is so important?

First things first!

Authentication, Authorization and Audit Logging, are the three principles to implement and enforce C-I-A Confidentiality/Integrity/Availability.

  • Authentication for logging persons using credentials
  • Authorization for restricting access to specific processes and Entities
  • Audit Logging for recording user actions

How the user management will be implemented and configured?

Authentication

  • Password expiration policy?
  • Locking user account when login attempts fail after certain tries?
  • Maximum sessions per user account allowed?
  • Set 2 Factor Authentication?

Authorization

  • How to properly and efficiently implement an [RBAC] Role-Based-Access-Control, by setting permissions and privileges to enable access to authorized users?
  • Implement [EBAC] Entity-Based-Access-Control ?
  • Group user Accounts?
  • Protect data by filtering datasets retrieved from database based on the user group?

Audit Log

  • Set a retention policy?
  • Store Audit log history of changes and at what level of detail?

All that and more should be taken into consideration when applying security controls across an enterprise application.

But lets give it a try and design a basic Role Based Access Control and apply Entity Access permissions …

What is RBAC?

Rule-Based-Access-Control creates access permissions based on a predetermined set of rules that allow or deny users access within the application system regardless of their role or position in the organization.

What is EBAC?

Entity-Based-Access-Control introduces Entities as a primary concept which are assigned permissions for operations like READ/CREATE/UPDATE/DELETE

Let’s begin …

Administrator is assigning System Roles to a group of users

  • User A is assigned ROLE_MANAGER
  • User B is assigned ROLE_SUPERVISOR
  • User C is assigned ROLE_USER

All these users are grouped together to form the IT Department

Each System ROLE has access to System Processes

User C has the lowest, in hierarchy, role, consequently has access to Process C, but has no access to execute Process A nor Process B.

User B, has access to both Process B and Process C

User A, as MANAGER, has access to execute all 3 processes

Defining Entity Access Policies as per above, should enforce User C to HAVE Read and Create PERMISSION on Entity X.

User B, as SUPERVISOR, should have PERMISSION to READ, CREATE and UPDATE Entity X.

User A as MANAGER, has PERMISSION to READ, CREATE, UPDATE and DELETE Entity X.

What has been achieved here is securing System Processes and data from unauthorized access and manipulation. Avoid information leaks or improper modification by potentially malicious users.

A Sample Implementation

Let’s see an example of user management implemented with Java Spring MVC Framework.

There are 3 users with 2 Roles, ROLE_ADMIN and ROLE_USER

user Admin is assigned ROLE_ADMIN

user A and user B are assigned ROLE_USER

Admin user assigns specific permissions to user’s A Role

Administrator edits ROLE User to grant access
Administrator gives access for READ/CREATE on Entity [Article], on ROLE_USER

Scenario A

user A creates a new Article record

userA with ROLE User logs in
userA creates a new Article
userA tries to edit the Article
userA is denied updating the Article, as the ROLE_USER has no permission to update entity [Article]

Scenario B

Admin retrieves the Audit Log and reviews the changes …

Admin user logs in
Audit Log as per the creation of the new entity [Article]
Audit Log attribute details as per the creation of the new entity [Article]

Scenario C

User B logs in and searches Articles to view the new Article, created by user A. But user A and user B belong to different groups.

user A belongs to group AUTHORS
user B belongs to group DESIGNER
user B has no permission to retrieve Article created by user B, since they belong to 2 different groups

Code can be found in the below github repository …

--

--