Authentication is the process of logging into an application. A user cannot login until they have proven that they have created an account within the application. Once an account has been created, they can prove to the application that they are a registered user.
Authorization deals with the level of access one individual holds.
Only after a user creates a profile, can the application authenticate it. The application now needs to assign a level of authorization to each and every user that has a profile. The best way to describe how levels of authorization are assigned is by using a bank as an example.
In the above scenario, you have one system, five roles. If you have 10,000 users authenticated into your system, each one of the 10,000 needs a role no matter what the circumstance.
Least Privilege Principle -
Every account that is created inside of an application should operate only on a need-to-know basis. Other factors such as job position or level of supervision will also factor into the amount of privilege given to certain roles.
Lets work with the Client and Admin accounts since it will be easiest to assess their privileges. First, the admins are the ones in charge of everything IT-related in the system. It falls on them to oversee all IT Operations such as ensuring all users gain access to the documentation or processes they require. Some examples of documentation the admin would have access to are social security numbers of clients, the employee number of developers and bank staff, or top-secret company information that may require a clearance. Admins need to know the state of IT Operations across the entire application, meaning they will operate from a high privileged role. This high privileged role will allow admins to have certain rights that most users in the applications will not gain access to. On the opposite side of the spectrum, the client will be in the least privileged role since they will not have access to information that pertains to other members of the application. Clients will only be allowed to access information that pertains to themselves such as their bank statements, routing and account numbers, etc. The Least Privilege Principle will also be used to assess the roles of the bankers, supervisors, and developers as well.
Allowing user roles to be the main method of security can be applied to various contexts within engineering. When creating my bug tracker application in .NET5 using the MVC design pattern, I would assign each user a different role based on their privilege and what they’d need to know. The bug tracker featured roles that mimicked an actual software development team. A demo user role was added as a way to have clients interested in the app to quickly demo it without needing to use their personal info to sign in.
To enforce that the only users who have access to the application are authenticated, in C#’s MVC structure, you can use the authorize decorator above the entire index action like so:
User principal claims can also be used in order to keep track of certain roles.
Role based security is also a leading technique in cloud computing as well. Microsoft Azure AD allows Administrators to use the same principles when creating domains. You can create roles and give certain privileges to roles based on a need to know basis within the domain. In the case of Azure and cloud computing, high privileges granted to users would result in more Azure services they would be able to perform. Microsoft also tends to refer to this as Role Based Access Control (RBAC).
https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
Top comments (0)