The latest articles on DEV Community by SANDESH PATANKAR (@sandesh_patankar). https://dev.to/sandesh_patankar https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3162628%2F85ad8d77-4199-488c-926c-0d2aaf3a4463.png https://dev.to/sandesh_patankar en SANDESH PATANKAR Wed, 14 May 2025 12:59:04 +0000 https://dev.to/sandesh_patankar/access-control-kma https://dev.to/sandesh_patankar/access-control-kma <p><strong>Introduction to Access Control</strong><br> Access control is a corner-stone of modern security frameworks. <br> It ensures that only authorized users can access specific resources within an organization.<br> By combining authentication (verifying identity) and authorization (granting permissions), <br> access control systems safeguard sensitive data and critical operations.</p> <p>Authentication methods include usernames, passwords, security tokens, and even multi-factor authentication (MFA). <br> Authorization, on the other hand, assigns appropriate permissions to authenticated users based on predefined rules.</p> <p><strong>Key Concepts of Access Control</strong></p> <p>Access control has three main models:<br> Role-Based Access Control (RBAC)<br> Access is tied to organizational roles.<br> Efficient for structured organizations.<br> Pros: Simplifies permission management.<br> Cons: Challenging to manage for evolving organizations.</p> <p>Attribute-Based Access Control (ABAC)<br> Access decisions are based on attributes (user, resource, environment).<br> Pros: Granular and flexible security policies.<br> Cons: Requires significant effort to implement and maintain.</p> <p>Policy-Based Access Control (PBAC)<br> Access is determined by organizational policies.<br> Reactive to policy changes and compliance requirements.<br> Pros: Granular security, compliance-friendly.<br> Cons: Time-consuming to define and manage policies.</p> <p>We chose ABAC for the HRMS Web Application for our Organization.<br> While developing an HRMS web app for our organization, we opted for Attribute-Based Access Control (ABAC) <br> because of its flexibility and adaptability. ABAC allowed us to implement dynamic and granular policies <br> based on user roles, department, resource type, and environmental factors like time and location.</p> <p><strong>Technology Stack</strong><br> We are building the HRMS using:<br> Frontend: React with TypeScript for a robust, type-safe user interface.<br> Backend: ASP.NET Core 8 for scalable and high-performance API development.<br> Database: MySQL to handle structured relational data efficiently.</p> <p>ABAC Implementation: Step-by-Step Flow<br> User Login:<br> Authentication:<br> User submits credentials (e.g., username and password) via a login form.<br> Frontend sends an authentication request to the backend API, during authentication process in backend,<br> Backend validates the user credentials against the database. </p> <p>Authorization:<br> Only authenticated user is sent for an authorization along with it's attributes (e.g. role, department, location).<br> again it validates the user attributes against the database. </p> <p>Secure API Calls:<br> All API requests include the jwt token to validate the user and enforce attribute-based policies on the backend.</p> <p>Policy Enforcement:<br> Middleware intercepts API requests and extracts the token.<br> Attributes in the token are matched against resource requirements using predefined ABAC policies.</p> <p>Decision Making:<br> Requests are permitted or denied based on the attribute evaluation.<br> Example: A request to delete an employee record is allowed only if the user is in the HR department and the action occurs during work hours.</p> <p>Upon successful login, the backend returns Logged in user's data along with specific rights, permissions and token (JWT) .<br> user's data is stored securely in state management (e.g., Redux or Context API).</p> <p>Dynamic UI Rendering:<br> Components, Menus, Buttons and features are conditionally rendered based on user rights and permissions.<br> Example: Only HR personnel can view sensitive payroll data.</p> <p>Database:<br> Storing Attributes:<br> User attributes (e.g.id, role, department) are stored in relational tables.<br> User Permissions (e.g.List of Rights and Permissions) are also stored in relational tables.<br> Resource attributes (e.g. Paths, file type, Access level) are also managed here.</p> <p>Querying for Policies:<br> Dynamic queries are built to fetch relevant policies based on user and resource attributes.</p> <p>Key Benefits of ABAC in HRMS<br> Granularity: Fine-tuned access control policies ensure that users access only what is necessary.<br> Flexibility: Policies adapt dynamically to changing requirements, such as promotions or department transfers.<br> Security: Combines user, resource, and contextual attributes to provide robust security.<br> Challenges and Lessons Learned<br> Complexity: Designing ABAC policies for diverse organizational roles required thorough planning.<br> Performance: Attribute-based evaluation added slight overhead, which was mitigated using efficient indexing and caching.<br> Maintenance: Regular updates to policies and attributes are essential to reflect organizational changes.</p> <p>Conclusion<br> ABAC proved to be an invaluable access control strategy for our HRMS project. Its adaptability, <br> combined with the powerful React-ASP.NET-MySQL stack, ensured a secure, user-friendly, and scalable solution. <br> While implementation demands initial effort, the long-term benefits of granular and context-aware access control outweigh the challenges.</p> <p>Would love to hear your thoughts and experiences with access control! Share them in the comments below.</p> programming security