WebApp Sec mailing list archives
Re: Model for Field level Access Control
From: "Cesar Osorio" <COsorio () awb com au>
Date: Fri, 27 Feb 2004 09:48:06 +1100
S, I am currently in a project for Directory structures and Data access, the concept is pretty simple, google for ROLE BASED SECURITY. The principle for this is "Users only see what is needed and not more and not less". Example: Description ROLE Data Access Supervisor supervisor Input, delete, modify, etc, some reporting Manager Manager Reports and Some Finance Clerk Data entry Input only not delete and so on... To make it easier, the first thing you need to do is to determine ROLES and Job Functions, then create a matrix with all of this and applied it to your data, document everything as the organisation will change !?! and keep a master list of all roles and access required, as soon as a role changes the access right changes. Another example: Description ROLE DATA ACCESS IT Developer web-developer Development systems IT Developer team leader IT-devTL Development systems + Team leading data area IT Developers manager IT-dev-mgr Team leading data area + Managers area. Have Fun Regards, Cesar Osorio Operation Security Analyst "Sundaram, Ramasubramanian To: <webappsec () securityfocus com> (Cognizant)" cc: <SRamasub () chn cog Subject: Model for Field level Access Control nizant.com> 26/02/2004 16:18 HI, We are designing a data model for a web application which requires attribute level access control for records. This application manages hundreds of thousands of records of people. The users of this application work on these records by modifying the attributes of the people, adding new entries, searching for people etc. Access to these records needs to be restricted based on the following factors. 1)Userid / Role of the logged in user 2)The record he is trying to access 3)Fields of the record that he is trying to access and 4)The action he is trying to perform on the record(edit,delete or create a new record) Has anyone come across an efficient model to represent/evaluate these restrictions? These records are stored in a database. Any help in this regard is greatly appreciated. Thanks, Rams (See attached file: InterScan_Disclaimer.txt)
Attachment:
InterScan_Disclaimer.txt
Description:
Current thread:
- Model for Field level Access Control Sundaram, Ramasubramanian (Cognizant) (Feb 26)
- <Possible follow-ups>
- RE: Model for Field level Access Control Paul John Summers (Feb 26)
- Re: Model for Field level Access Control Cesar Osorio (Feb 26)
- RE: Model for Field level Access Control Lanham, M. MAJ EECS (Feb 26)