Best Role-Based Access Control (RBAC) database model

What is the best database schema to track role-based access controls for a web application?

I am using Rails, but the RBAC plugin linked by Google looks unmaintained (only 300 commits to SVN; latest was almost a year ago).

The concept is simple enough to implement from scratch, yet complex and important enough that it's worth getting right.

So how do others architect and implement their RBAC model?

To my rather basic knowledge in that area, the basic actors of an RBAC are:

• Resources.
• Permissions.
• Users.
• Roles (i.e. Groups).

Resources <- require -> (one or many) Permissions.

Roles <- are collections of -> (one or many) Permissions.

Users <- can have -> (one or many) Roles.

The tables for such a model would be:

• permission
• role
• user
• role_permission
• user_role

Now you might want to include resources here as well if you want users of your application to be able to configure which permissions a resource need. But I never needed that. Hope that helps.

Here is a simple diagram to illustrate Amr Mostafa's excellent answer

I happen to be working on the RBAC sub-system here at work at them moment... what a coincidence.

My model is based on the building blocks of the different entities in the system that require permissions, be they attributes to view/update or actions to perform. There are also, of course, different roles in the system (which can be given to users), and the glue that holds the whole thing together is the access rule, which connects a specific role, a specific permission-needing entity and the permission granted. An access rule might look like these:

rule 14: guest role + page name + read permission
rule 46: approver role + add column + execute permission

and so on. I'll leave the ERD as an exercise to the reader ;-) if you have questions, leave a comment.

Yuval =8-)

You can use Restful ACL Rails plugin.

I think the answer to your question goes as deep as you wish to go. If you happen to think about putting roles into groups and then associating groups with users wouldn't be enough. Eventually you'll need to give specific permissions to a user on a specific object (a forum, a video etc).

I'm more close to Yuval's answer, all we need is to associate project-wide objects + actions + users. To provide this; a base object (Entity) makes perfect sense. Any object inheriting from Entity can be easily associated with a user + action this way.

As you also wish to keep things simple; my suggestion would be;

• Any object due to rbac restrictions should derive from a base Entity.
• There should be a list of roles, which are one-to-one related with an Entity.
• There should be a list of relations between users and roles.

To take things one step further, I would also reccomend the following (for an automated rbac)

• I use service-based access to my objects. That is; I create respositories of objects (which do the db-access for me) and I access repositories via service functions.
• I use a custom attribute at the beginning of every service function. This defines the required role to access that function.
• I use the User parameter to access to all my service functions, and each service function does a role check before executing itself. Reflection helps me to understand which function I call, and what kind of role it has (via custom attributes)
• I also run an initializer on my application startup, and it checks for all the functions (and their attributes) and sees if I added a new required role. If there's a role I just added and doesn't appear to be on the db, it creates it on db.

But alas, that's just available for .NET, as far as I know Java doesn't have custom attributes so that's not yet likely to be available for Java.

I'd like to come up with some code examples but I'm too lazy to do that. Still if you have questions about my way of rbac; you can ask here and I'll surely reply.

Role Requirement works with Restful Authentication very well to provide role-based auth functions and is well-maintained.

Try https://github.com/ThoughtWorksStudios/piece, it is a rule engine for you to manage user role based access control:

1. Define access control rules
2. Combine rules to construct new rules

You can find full Rails application example here: https://github.com/xli/piece-blog

For .net applications you should look at something like Visual Guard http://www.visual-guard.com/ to avoid having to handle permissions and roles from scratch.

Also for .net, you have the membership and role providers and authorisation handled with configuration. http://www.odetocode.com/Articles/427.aspx

I really like this blog post: https://content.pivotal.io/blog/access-control-permissions-in-rails

EDIT:

It seems that ryanb of railscasts thought along the same lines and created a gem called cancan https://github.com/ryanb/cancan using a basic technique similar to the pivotollabs post.

Introduction to RBAC -

Role based access control system is a method of restricting access to 'some sources or applications or some features of applications' based on the roles of users of organization.

Here, restrictions can be by means of multiple permissions, those are created by administrator to restrict access, and these permissions collectively represents a role, which will be assigned to user.

And if we go slight deeper in RBAC, it basically contains 3 features.

1. Authentication - It confirms the user's identity. Usually it is done via user accounts and passwords or credentials.

2. Authorization - It defines what user can do and cannot do in an application. Ex. ‘Modifying order’ is allowed but ‘creating new order’ is not allowed.

3. Auditing of user actions on applications. - It keeps track of user's actions on applications, as well as who has granted which access to which users?

This was very basic top view picture of RBAC system.

Basic Structure of RBAC system can contain following components: Users, Roles, Permissions or restrictions, resources.

• Permissions or restrictions – permissions represents an access to application’s resource.
• Role – It contains collection of permissions
• User – Single or multiple roles assigned to user, so eventually user contains permissions via means of role.

In addition to this, you can also have collection of users – called – groups, and role can be assigned to groups, if you want to support complex scenarios. So, This was very basic information about RBAC structure.