Access Control in Web Apps: Backend + Frontend

Quick Summary

This article is an introduction and exploration of various types of Access Control solutions for a web application. Including the backend strategy and the frontend handling.

It is not a tutorial post. We are briefly touching upon the options and solutions available and some best practices. You can use AI to help with implementation of a specific solution.

What is Access Control?

In summary, Access Control is a security process or framework for your application that enables you to control the accessing and operating over the resources by the users.

There are more detailed resources available on the basics of Access Control. For instance OSO (an access control solution provider) provides some good knowledge resources that can be found here. And there are many other blogs, as well as youtube videos available.

History of Access Control in Software

The history of Access Control systems goes back to the 60s and 70s when it was mainly developed and used by OS developers to manage access over data/files. With DAC being used in UNIX and windows.

Then comes the Mandatory Access Control (MAC), initially used by the US Military and Government. It later became more mainstream and was adapted to make security tools and applications in Linux, MacOS and Windows.

Role-Based Access Control (RBAC), a more familiar name comes along in the early 90s. RBAC is still around and is the most basic/standard type of access control system. In RBAC, we have predefined roles that can be assigned to users and the access permissions are attached to the roles. More about history of RBAC here.

Read more about the origins of these access control models here

Types of Access Control

Keep in mind, these are just methods, not a programming language or a feature. This means if someone creates a new variation of access control and names it, it would become a new type.

In the context of Web Applications, here are the main types of access control models:

1. RBAC - Role Based Access Control

2. ABAC - Attribute Based Access Control

3. PBAC - Policy Based Access Control

To make things easier, I have listed only the most popular and commonly used types. One of these, or a combination, will likely suit your needs.

Best Practices and Patterns

Here are some best practices, standards and patterns to make sure the access control system is implemented properly

1. Centralised authorisation layer - access related logic should not be scattered around in the codebase but maintained in a dedicated authorisation layer

2. Principle of Least Privilege - users must have only the minimum required permissions

3. Deny by default - no access unless explicitly granted

4. Server-side enforcement - never rely on client code (JS, HTML) to protect resources

5. Access logs - track and review access events for anomalies

6. Separation of duties - prevent single roles from having excessive combined powers

7. Policy as code - manage authorization logic declaratively, versioned, and testable

8. Short-lived tokens / sessions - reduce the window for misuse

9. Consistency - ensure frontend reflects backend authorisation rules

Handling Permissions in the Frontend

Most of the heavy lifting around access control is relevant and possible only in the backend but when it comes to the frontend, we have to make sure to update the app to:

1. Maintain good UX

2. Avoid unnecessary exposure and access attempts - displaying only relevant options to every user

3. Make sure access to any static information is managed accordingly

What are the essentials to handle in the frontend?

1. Show/hide options to the user based on their role and permissions

2. Receiving and storing roles and permissions from the backend

3. Handling the permissions in the code

Here are some the questions we can ask to find an optimal frontend solution

1. How could we receive roles and permissions details from the backend?

   1. Is there a config API to add these details to? or can we include it in the auth API?
   2. Do we need a dedicated API for roles and permissions?
   3. Can we cache this API response?
   4. How do we make sure that we have the latest details whenever backend is updated?

2. How do we handle permissions in the UI code?

   1. What is the best way to separate the access logic from UI? (Based on the frontend framework)
   2. How best can we make sure that it is scalable? (while making minimal or no changes to UI code)

3. What is the technical debt?

   1. Does the solution require deep integration?
   2. Does it depend on a particular backend structure?

After this you would have a better idea of what and how to implement access control in the frontend to reflect the backend rules and permissions. To keep things straight forward, here is a standard, scalable and high quality solution CASL, that takes care of all the things we’ve discussed above and more.

💡
Pro tip: Just like how you should not go coding your own state management in React thinking that React Context = Redux, you should not go writing a access control solution from scratch unless you really know what you’re doing and understand everything about it.

Conclusion

The optimal access control solution for your application would depend on the requirements and other conditions, it could be a basic or a combination of different models. The article focused on the basics of access control and exploring on the possibilities, as well as some important principles and best practices.

Links to Knowledge Resources

1. https://www.osohq.com/academy

2. https://csrc.nist.gov/projects/role-based-access-control/faqs#:~:text=What%20is%20the%20history%20of%20the%20RBAC%20systems%20used%20today%3F

3. https://www.packetlabs.net/posts/a-comprehensive-guide-to-access-control-models/

4. https://www.paloaltonetworks.com/cyberpedia/what-is-the-principle-of-least-privilege

5. https://www.cyberark.com/what-is/least-privilege/

6. https://goteleport.com/blog/authorization-best-practices

7. https://www.f5.com/company/blog/top-10-web-application-security-best-practices