Implementing a Dynamic RBAC System for Enterprise Applications - Simplified

Introduction

In today’s digital landscape, effective access management is critical for securing resources and data. A Role-Based Access Control (RBAC) system provides a structured approach to managing user permissions and roles. This blog outlines two variations of RBAC systems tailored to different application needs: Common Business Applications and Enterprise Business Applications.

To illustrate the concepts, we’ll provide a demo code snippet for a service managing access control, as well as a detailed description of each table used in the RBAC system.

RBAC System Components

Common Business Applications

For most common business applications, the RBAC system can be streamlined to manage roles and permissions effectively without additional complexities. The key components are:

1. User Table

   • Purpose: Stores user information such as username, password hash, email, and clearance level.
   • Key Columns: user_id, username, password_hash, email, department, clearance_level

2. Role Table

   • Purpose: Defines roles within the application, detailing each role's name and description.
   • Key Columns: role_id, role_name, description

3. Module Table

   • Purpose: Lists application modules or resources, describing their purpose and functionality.
   • Key Columns: module_id, module_name, description

4. Module_Permission Table

   • Purpose: Specifies permissions associated with each module, such as read or write access.
   • Key Columns: module_permission_id, module_id, permission_type

5. Role_Permission Table

   • Purpose: Maps roles to module permissions, determining what actions roles can perform on modules.
   • Key Columns: role_permission_id, role_id, module_permission_id

6. User_Role Table

   • Purpose: Manages the relationship between users and roles, enabling role-based access control.
   • Key Columns: user_role_id, user_id, role_id

Enterprise Business Applications

Enterprise business applications may require additional components to handle more complex access control needs. These include:

1. Policy Table

   • Purpose: Defines additional access rules and conditions, providing more granular control.
   • Key Columns: policy_id, policy_name, description

2. Role_Policy Table

   • Purpose: Links roles to policies, allowing roles to be governed by specific rules and conditions.
   • Key Columns: role_policy_id, role_id, policy_id

3. User_Policy Table

   • Purpose: Assigns policies directly to users, accommodating individual permissions.
   • Key Columns: user_policy_id, user_id, policy_id

4. Policy_Condition Table

   • Purpose: Specifies conditions for policies, such as contextual or attribute-based constraints.
   • Key Columns: policy_condition_id, policy_id, condition_type, condition_value

5. Contextual_Permission Table

   • Purpose: Applies policies based on specific contexts, like user department or location.
   • Key Columns: contextual_permission_id, policy_id, context_type, context_value

6. Temporal_Constraint Table

   • Purpose: Manages time-based access, defining start and end times for policy effectiveness.
   • Key Columns: temporal_constraint_id, policy_id, start_time, end_time

7. Delegation Table

   • Purpose: Facilitates temporary role assignments, allowing users to delegate roles with specified expiration dates.
   • Key Columns: delegation_id, delegate_user_id, delegator_user_id, role_id, delegated_at, expiration_date

8. Audit_Log Table

   • Purpose: Records user actions, module interactions, and role changes for security and compliance auditing.
   • Key Columns: audit_log_id, user_id, action, module_id, role_id, timestamp, details

Demo Code: Access Control Service

Here's a sample implementation of an AccessControlService in Java, demonstrating how to manage access control in a dynamic RBAC system. This example covers the essential components and illustrates how to handle permissions and policies.

import java.time.LocalDateTime;
import java.util.List;

@Service
@Transactional
public class AccessControlService {

    @Autowired
    private UserRepository userRepository;

    @Autowired
    private RoleRepository roleRepository;

    @Autowired
    private ModulePermissionRepository modulePermissionRepository;

    @Autowired
    private RolePermissionRepository rolePermissionRepository;

    @Autowired
    private UserRoleRepository userRoleRepository;

    @Autowired
    private PolicyRepository policyRepository;

    @Autowired
    private UserPolicyRepository userPolicyRepository;

    @Autowired
    private RolePolicyRepository rolePolicyRepository;

    @Autowired
    private PolicyConditionRepository policyConditionRepository;

    @Autowired
    private ContextualPermissionRepository contextualPermissionRepository;

    @Autowired
    private TemporalConstraintRepository temporalConstraintRepository;

    @Autowired
    private DelegationRepository delegationRepository;

    public boolean hasAccess(String username, Long moduleId, String permissionType) {
        // Fetch user
        User user = userRepository.findByUsername(username);
        if (user == null) {
            return false;
        }

        // Check if user has any delegations
        boolean hasDelegatedAccess = checkDelegatedAccess(user.getUserId(), moduleId, permissionType);
        if (hasDelegatedAccess) {
            return true;
        }

        // Check if user has direct access via roles
        List<UserRole> userRoles = userRoleRepository.findByUserId(user.getUserId());
        for (UserRole userRole : userRoles) {
            List<RolePermission> rolePermissions = rolePermissionRepository.findByRoleId(userRole.getRoleId());
            for (RolePermission rolePermission : rolePermissions) {
                ModulePermission modulePermission = modulePermissionRepository.findById(rolePermission.getModulePermissionId()).orElse(null);
                if (modulePermission != null && modulePermission.getModuleId().equals(moduleId) && modulePermission.getPermissionType().equals(permissionType)) {
                    // Check if role has any associated policies
                    if (hasPolicyAccess(user.getUserId(), moduleId, permissionType, modulePermission.getModuleId())) {
                        return true;
                    }
                }
            }
        }

        return false;
    }

    private boolean checkDelegatedAccess(Long userId, Long moduleId, String permissionType) {
        List<Delegation> delegations = delegationRepository.findByDelegateUserId(userId);
        LocalDateTime now = LocalDateTime.now();
        for (Delegation delegation : delegations) {
            // Check if delegation is expired
            if (delegation.getExpirationDate() != null && delegation.getExpirationDate().isBefore(now)) {
                continue;
            }

            List<RolePermission> rolePermissions = rolePermissionRepository.findByRoleId(delegation.getRoleId());
            for (RolePermission rolePermission : rolePermissions) {
                ModulePermission modulePermission = modulePermissionRepository.findById(rolePermission.getModulePermissionId()).orElse(null);
                if (modulePermission != null && modulePermission.getModuleId().equals(moduleId) && modulePermission.getPermissionType().equals(permissionType)) {
                    return true;
                }
            }
        }
        return false;
    }

    private boolean hasPolicyAccess(Long userId, Long moduleId, String permissionType, Long modulePermissionId) {
        // Check policies assigned directly to the user
        List<UserPolicy> userPolicies = userPolicyRepository.findByUserId(userId);
        for (UserPolicy userPolicy : userPolicies) {
            if (isPolicyValid(userPolicy.getPolicyId(), moduleId, permissionType)) {
                return true;
            }
        }

        // Check policies assigned to roles
        List<UserRole> userRoles = userRoleRepository.findByUserId(userId);
        for (UserRole userRole : userRoles) {
            List<RolePolicy> rolePolicies = rolePolicyRepository.findByRoleId(userRole.getRoleId());
            for (RolePolicy rolePolicy : rolePolicies) {
                if (isPolicyValid(rolePolicy.getPolicyId(), moduleId, permissionType)) {
                    return true;
                }
            }
        }

        return false;
    }

    private boolean isPolicyValid(Long policyId, Long moduleId, String permissionType) {
        // Check policy conditions
        List<PolicyCondition> conditions = policyConditionRepository.findByPolicyId(policyId);
        for (PolicyCondition condition : conditions) {
            // Add logic to evaluate conditions based on conditionType and conditionValue
            // e.g., Check if context or attribute matches the condition
        }

        // Check contextual permissions
        List<ContextualPermission> contextualPermissions = contextualPermissionRepository.findByPolicyId(policyId);
        for (ContextualPermission contextualPermission : contextualPermissions) {
            // Add logic to evaluate contextual permissions
            // e.g., Check if current context matches the contextualPermission
        }

        // Check temporal constraints
        List<TemporalConstraint> temporalConstraints = temporalConstraintRepository.findByPolicyId(policyId);
        for (TemporalConstraint temporalConstraint : temporalConstraints) {
            LocalDateTime now = LocalDateTime.now();
            if (now.isBefore(temporalConstraint.getStartTime()) || now.isAfter(temporalConstraint.getEndTime())) {
                return false;
            }
        }

        return true;
    }
}

Conclusion

By differentiating between common business applications and enterprise business applications, you can tailor your RBAC system