The Right Person - abukhalil-LTUC-ASAC/amman-401d4 GitHub Wiki
Inter-user authentication
If you wondered how hierarchies of power authorizations come to be, here it is! Basic authentication validated all users according to DB comparison and OAuth, however this won't help restrict access while browsing. Applying bearer authentications with header tokens is one way to make sure each route has bearer authentication middleware and sort tokens by access rights.
There are up to date methods to store secrets if you ever wondered how to properly do it, check out the updates regularly, but for 2020 this should suffice.
Role Based Access Control (RBAC)
Access Rights are not basic human rights! They are distributed according to personal or company policies, and has nothing to do with 'ism' and everything to do with privileges and resource management, there is no reason to open your whole website including all essential operations unless you crave wanton destruction and true chaotic working environments.
Fun talk aside, instead of giving each accounts certain privileges arbitrarily which is very work intensive. Assign access to template roles and then allow accounts to be assigned into that role instead, make the routes role specific instead of user specific and now you have a semi static policy that is centrally managed.
Other access control systems
-
Access control lists (ACL) is the list that has all users and their corresponding accesses, very micromanegy.
-
Attribute-based access control (ABAC) where each user has object type of permissions that is even more granular but even worst in terms of micromanagement.
Implementation
- Inventory your systems as in define which parts of your system you deem access control worthy.
- Analyze your workforce and create roles and not the roles first, you have to understand the workflow before restricting them than risk strangling it to death.
- Assign people to roles
- Never make one-off changes rather seek system wide changes when necessary, relaxing or restricting a role for one person out of many is a bad idea.
- Audit by taking in feedback and reflecting on the system you just had created and marvel at its simplicity or feel sorry about its limitations, then work on them.