OverviewDesign an Enforcer / Decider that supports fine grain access control. This Enforcer / Decider should extend the capabilities of the existing SERVLET and ENGINE type Enforcers / Deciders. This design will have the ability to leverage the Request/Response data (attributes/values), in addition to the Operation, Principal and Resource to determine if a given Request/Response will be allowed. Related project: Authorization Requirements
Use CasesLimit update to certain attributes in a RequestThe current authorization implementation can be configured to allow the authenticated user (principal) to perform UPDATE operations on their own resource. This fine-grain authorization project should allow for a policy that would deny/allow the update of specific attributes for the user's own resource.Block sensitive attributes in a ResponseThe current authorization model can enforce the Read operation of a resources. This is "all or nothing". There is a need to limit what attributes can be read from a given resource, based on the principal (SYSTEM, USER, ANON). Sensitive data, such as a user's forgotten password challenge answers, should only be readable by the resource's owner. If a read is performed by the non-owner principal, the sensitive attributes (within the record) should be excluded or masked.Inputs
Assumptions
|
Projects >