Overview

Design an Enforcer / Decider that supports fine grain access control.  This Enforcer / Decider should extend the capabilities of the existing SERVLET and ENGINE type Enforcers / Deciders.  This design will have the ability to leverage the Request/Response data (attributes/values), in addition to the Operation, Principal and Resource to determine if a given Request/Response will be allowed.

Related project: Authorization

Requirements

• Enforce fine-grain access policies using the data (payload) that is related to a given Request / Response.
• Leverage existing Request information: Operation, Principal, Resource
• Support both inbound and outbound enforcement
• inbound: Requests from the Engine (Resource) to the Framework (Representation)
• outbound: Responses from the Framework (Representation) to the Engine (Resource)
  
• Offer the ability to block / mask / redact data (usually related to a Response)

Use Cases

Limit update to certain attributes in a Request

The current authorization implementation can be configured to allow the authenticated user (principal) to perform UPDATE operations on their own resource.  This fine-grain authorization project should allow for a policy that would deny/allow the update of specific attributes for the user's own resource.

Block sensitive attributes in a Response

The current authorization model can enforce the Read operation of a resources.  This is "all or nothing".  There is a need to limit what attributes can be read from a given resource, based on the principal (SYSTEM, USER, ANON).  Sensitive data, such as a user's forgotten password challenge answers, should only be readable by the resource's owner.  If a read is performed by the non-owner principal, the sensitive attributes (within the record) should be excluded or masked.