I am developing REST API for the growing system. And in general Role/Claims Access Control work perfecly like this.
[HttpGet]
[Route("settings")]
[Authorization(Type = AuthorizationType.Admin, Permission = Permission.StoreSettings)]
public IHttpActionResult GetSettings() { /*...*/ }
Problem occurs when I have users who can for example control access deeper like in the figure below. This is an abstract example of the system.
And if I need to query something in the one of the area, it is quite simple, but when I need to get all Items
from Departments
I have to write the same ugly code I can't really reuse. Not real code, but looks like this.
Db.Items.Where(i =>
i.Stores.Any(s => s.CityId == User.CityId) &&
Db.UserDepartmentRights.Any(udr => udr.UserId == User.UserId && i.DepartmentId == udr.DepartmentId));
It is obviously ugly and very hard to maintain, especially if I need to bring another level into the system.
Is there any framework which can handle this or at formalized architecture I can implement?
Yes there is. There is a model called ABAC - or attribute-based access control (abac) that does just that.
ABAC is an evolution of RBAC (role-based access control). The claims-based model you use is a form of RBAC where you assign roles and permissions to users. RBAC works well in small, simple deployments but tends to fail when you need to scale up or when you have relationships. In your case, you want to express access control in terms of the relationship between users and stores.
ABAC and RBAC are both models defined by NIST, the National Institute of Science and Technology.
In ABAC, you get 2 types of constructs:
With ABAC you can have as many policies as you like that cater to many different scenarios.
ABAC comes with a recommended architecture which is as follows:
The main standard that implements ABAC today is XACML, the eXtensible Access Control Markup Language (xacml). It is a technology-neutral approach to fine-grained access control. There are several implementations of XACML today:
There are a few good resources online you can turn to