Access Control: Organisation-based Access control
Gautier DI FOLCO December 24, 2023 [dev] #haskell #access control #security #draft conceptsLast time, we have seen GBAC, probably the most access control scheme, let's go a little simpler.
Organisation-based Access control is a scheme based on the distinction between security policy and implementation.
It's a mix between ACL and RBAC.
On one hand, there is the security policy defined with Role
, Activity
, and View
(target).
On another hand, the implementation based on Subject
, Action
, and Object
.
Finally, you have a contextualized mapping from Role
to Subject
, from Activity
to Action
, and from View
to Object
.
Let's formally define it:
data OrganizationMapping subject role' action activity object view = OrganizationMapping
{ subjects :: Map.Map subject role',
}
deriving stock (Show, Eq)
type OrBacRules role' activity view = Map.Map role' (Map.Map activity (Set.Set view))
canOrBac rules mapping subject action object =
fromMaybe False $
canAcl rules
<$> Map.lookup subject mapping.subjects
<*> Map.lookup action mapping.actions
<*> Map.lookup object mapping.objects