Search code examples
djangoauthorizationaccess-controlrbacabac

Django role based permissions

I'm developing a huge application in django and I need a permission system and I assume that the native user/group permission within django is not sufficient. Here my needs:

The application will be available through multiple departments. In each department there will be nearly the same actions. But maybe an user will be allowed to add a new team member in department A and in department B he is only allowed to view the team list and in the other departments he has no access at all. I though using a RBAC system would be most appropriate. Roles must also be inheritable, stored in a model an managable through an interface. Any good ideas or suggestions? Regards

Solution

  • What you are looking for is called aka Attribute-Based Access Control. It's an evolution of RBAC as an access control model. In RBAC, you define access control in terms of roles, groups, and potentially permissions. You then have to write code within your application to make sense of the roles and groups. This is called identity-centric access control.

    In ABAC, there are 2 new elements:

    • attributes which are a generalization of groups and roles. Attributes are a key-value pair that can describe anyone and anything. For instance, department, member, and action are all attributes.
    • policies tie attributes together to determine whether access should be granted or denied. Policies are a human-friendly way of expressing authorization. Rather than write custom code in your app, you write a policy that can be centrally managed and reused across apps, databases and APIs.

    There are a couple of ABAC languages such as and . Using ALFA, I could write the following policy:

    • A user will be allowed to add a new team member in department A
    • In department B he is only allowed to view the team list
    • In the other departments he has no access at all.
    • Roles must also be inheritable, stored in a model an managable through an interface. 
    policyset appAccess{
    apply firstApplicable
    policy members{
        target clause object = "member"
        apply firstApplicable
        /**
         * A user can add a member to a department if they are a manager and if they are assigned to that department.
         */
        rule addMember{
            target clause role == "manager" and action == "add"
            permit
            condition user.department == target.department
        }
    }
}

    One of the key benefits of ABAC is that you can develop as many policies as you like, audit them, share them, and not have to touch your application code at all because you end up externalizing authorization.

    There are several engines / projects that implement ABAC such as:

    • AuthZForce (a Java library for XACML authorization)
    • Axiomatics Policy Server (commercial product - disclaimer: I work there)
    • AT&T XACML