Access Control

Introduction to Access Control
Access control is a corner-stone of modern security frameworks.
It ensures that only authorized users can access specific resources within an organization.
By combining authentication (verifying identity) and authorization (granting permissions),
access control systems safeguard sensitive data and critical operations.

Authentication methods include usernames, passwords, security tokens, and even multi-factor authentication (MFA).
Authorization, on the other hand, assigns appropriate permissions to authenticated users based on predefined rules.

Key Concepts of Access Control

Access control has three main models:
Role-Based Access Control (RBAC)
Access is tied to organizational roles.
Efficient for structured organizations.
Pros: Simplifies permission management.
Cons: Challenging to manage for evolving organizations.

Attribute-Based Access Control (ABAC)
Access decisions are based on attributes (user, resource, environment).
Pros: Granular and flexible security policies.
Cons: Requires significant effort to implement and maintain.

Policy-Based Access Control (PBAC)
Access is determined by organizational policies.
Reactive to policy changes and compliance requirements.
Pros: Granular security, compliance-friendly.
Cons: Time-consuming to define and manage policies.

We chose ABAC for the HRMS Web Application for our Organization.
While developing an HRMS web app for our organization, we opted for Attribute-Based Access Control (ABAC)
because of its flexibility and adaptability. ABAC allowed us to implement dynamic and granular policies
based on user roles, department, resource type, and environmental factors like time and location.

Technology Stack
We are building the HRMS using:
Frontend: React with TypeScript for a robust, type-safe user interface.
Backend: ASP.NET Core 8 for scalable and high-performance API development.
Database: MySQL to handle structured relational data efficiently.

ABAC Implementation: Step-by-Step Flow
User Login:
Authentication:
User submits credentials (e.g., username and password) via a login form.
Frontend sends an authentication request to the backend API, during authentication process in backend,
Backend validates the user credentials against the database.

Authorization:
Only authenticated user is sent for an authorization along with it's attributes (e.g. role, department, location).
again it validates the user attributes against the database.

Secure API Calls:
All API requests include the jwt token to validate the user and enforce attribute-based policies on the backend.

Policy Enforcement:
Middleware intercepts API requests and extracts the token.
Attributes in the token are matched against resource requirements using predefined ABAC policies.

Decision Making:
Requests are permitted or denied based on the attribute evaluation.
Example: A request to delete an employee record is allowed only if the user is in the HR department and the action occurs during work hours.

Upon successful login, the backend returns Logged in user's data along with specific rights, permissions and token (JWT) .
user's data is stored securely in state management (e.g., Redux or Context API).

Dynamic UI Rendering:
Components, Menus, Buttons and features are conditionally rendered based on user rights and permissions.
Example: Only HR personnel can view sensitive payroll data.

Database:
Storing Attributes:
User attributes (e.g.id, role, department) are stored in relational tables.
User Permissions (e.g.List of Rights and Permissions) are also stored in relational tables.
Resource attributes (e.g. Paths, file type, Access level) are also managed here.

Querying for Policies:
Dynamic queries are built to fetch relevant policies based on user and resource attributes.

Key Benefits of ABAC in HRMS
Granularity: Fine-tuned access control policies ensure that users access only what is necessary.
Flexibility: Policies adapt dynamically to changing requirements, such as promotions or department transfers.
Security: Combines user, resource, and contextual attributes to provide robust security.
Challenges and Lessons Learned
Complexity: Designing ABAC policies for diverse organizational roles required thorough planning.
Performance: Attribute-based evaluation added slight overhead, which was mitigated using efficient indexing and caching.
Maintenance: Regular updates to policies and attributes are essential to reflect organizational changes.

Conclusion
ABAC proved to be an invaluable access control strategy for our HRMS project. Its adaptability,
combined with the powerful React-ASP.NET-MySQL stack, ensured a secure, user-friendly, and scalable solution.
While implementation demands initial effort, the long-term benefits of granular and context-aware access control outweigh the challenges.

Would love to hear your thoughts and experiences with access control! Share them in the comments below.