Software Security, User Management, the basic stuff…
Managing user access can most times become a headache if the current security setup is failing to accommodate the access requirements of an enterprise application system.
But what is User Management and why it is so important?
First things first!
Authentication, Authorization and Audit Logging, are the three principles to implement and enforce C-I-A Confidentiality/Integrity/Availability.
- Authentication for logging persons using credentials
- Authorization for restricting access to specific processes and Entities
- Audit Logging for recording user actions
How the user management will be implemented and configured?
Authentication
- Password expiration policy?
- Locking user account when login attempts fail after certain tries?
- Maximum sessions per user account allowed?
- Set 2 Factor Authentication?
Authorization
- How to properly and efficiently implement an [RBAC] Role-Based-Access-Control, by setting permissions and privileges to enable access to authorized users?
- Implement [EBAC] Entity-Based-Access-Control ?
- Group user Accounts?
- Protect data by filtering datasets retrieved from database based on the user group?
Audit Log
- Set a retention policy?
- Store Audit log history of changes and at what level of detail?
All that and more should be taken into consideration when applying security controls across an enterprise application.
But lets give it a try and design a basic Role Based Access Control and apply Entity Access permissions …
What is RBAC?
Rule-Based-Access-Control creates access permissions based on a predetermined set of rules that allow or deny users access within the application system regardless of their role or position in the organization.
What is EBAC?
Entity-Based-Access-Control introduces Entities as a primary concept which are assigned permissions for operations like READ/CREATE/UPDATE/DELETE
Let’s begin …
Administrator is assigning System Roles to a group of users
- User A is assigned ROLE_MANAGER
- User B is assigned ROLE_SUPERVISOR
- User C is assigned ROLE_USER
All these users are grouped together to form the IT Department
Each System ROLE has access to System Processes
User C has the lowest, in hierarchy, role, consequently has access to Process C, but has no access to execute Process A nor Process B.
User B, has access to both Process B and Process C
User A, as MANAGER, has access to execute all 3 processes
Defining Entity Access Policies as per above, should enforce User C to HAVE Read and Create PERMISSION on Entity X.
User B, as SUPERVISOR, should have PERMISSION to READ, CREATE and UPDATE Entity X.
User A as MANAGER, has PERMISSION to READ, CREATE, UPDATE and DELETE Entity X.
What has been achieved here is securing System Processes and data from unauthorized access and manipulation. Avoid information leaks or improper modification by potentially malicious users.
A Sample Implementation
Let’s see an example of user management implemented with Java Spring MVC Framework.
There are 3 users with 2 Roles, ROLE_ADMIN and ROLE_USER
user Admin is assigned ROLE_ADMIN
user A and user B are assigned ROLE_USER
Admin user assigns specific permissions to user’s A Role
Scenario A
user A creates a new Article record
Scenario B
Admin retrieves the Audit Log and reviews the changes …
Scenario C
User B logs in and searches Articles to view the new Article, created by user A. But user A and user B belong to different groups.
Code can be found in the below github repository …
