From RBAC to ABAC

Prerequisites

  1. An Aserto account (if you don’t have one, sign up here!)
  2. A Netlify account (Netlify is awesome, and you can get an account for free!)
  3. Your favorite IDE
  4. We highly recommend you complete the PeopleFinder Quickstart before starting this tutorial. It will take you through the basic account setup in Aserto, and will introduce you to the basic concepts of Role-based Access Control (RBAC).

The Scenario

Add The Acmecorp IDP

Create the Policy

git clone https://github.com/[your-organization]/policy-basic-abac

Build a reusable rule

package officeManagementimport input.user.attributes.properties as user_propsisWorkingHoursWithTimezone {
ns := time.now_ns()
clock := time.clock([ns, user_props.timezone])
clock[0] >= 8
clock[0] < 17
}

Create a data.json file

  1. Allowed Locations: the locations from which users are allowed to access a protected resource
  2. Allowed Devices: the devices users are allowed to use to access protected resources
{
"allowedLocations":[
"New York",
"Auckland",
"Tokyo"
],
"allowedDevices":[
"MacBook",
"PC",
"iPhone"
]
}

Create the Policies

  • Working hours — The policy will verify that the user is trying to access a resource during working hours, depending on their time zone.
  • Device used: Our application will be able to simulate users using one of four types of devices: a MacBook, a PC, an iPhone and an Android device. Only the first three are going to be allowed.
  • Location: The user will be able to be in one of known locations.
package policyabac.GET.api.projects.red
import data.officeManagement.isWorkingHoursWithTimezone
import input.user.attributes.properties as user_props
  1. Use the isWorkingHoursWithTimezone function to determine whether the user is trying to access a resource during working hours.
  2. reference roles and properties that are nested deep in the input object using the alias user_props.
default allowed = falsedefault visible = falsedefault enabled = false
deviceAllowed {
user_props.device == data.allowedDevices[_]
}
  • whether the user is assigned to the “red” project and
  • whether they are using an allowed device and
  • whether the request is being sent during working hours
allowed {
user_props.project == "red"
isWorkingHoursWithTimezone
deviceAllowed
}
visible {
user_props.project == "red"
}
enabled {
user_props.project == "red"
isWorkingHoursWithTimezone
}
package policyabac.GET.api.projects.redimport data.officeManagement.isWorkingHoursWithTimezone
import input.user.attributes.properties as user_props
default allowed = falsedefault visible = falsedefault enabled = falsedeviceAllowed {
user_props.device == data.allowedDevices[_]
}
allowed {
user_props.project == "red"
isWorkingHoursWithTimezone
deviceAllowed
}
visible {
user_props.project == "red"
}
enabled {
user_props.project == "red"
isWorkingHoursWithTimezone
}
package policyabac.GET.api.projects.blueimport data.officeManagement.isWorkingHoursWithTimezone
import input.user.attributes.properties as user_props
default allowed = falsedefault visible = falsedefault enabled = falsedeviceAllowed {
user_props.device == data.allowedDevices[_]
}
locationAllowed {
user_props.location == data.allowedLocations[_]
}
allowed {
user_props.project == "blue"
isWorkingHoursWithTimezone
deviceAllowed
locationAllowed
}
visible {
user_props.project == "blue"
}
enabled {
locationAllowed
deviceAllowed
}

Update the .manifest file

[“policies”]
["policyabac", "allowedLocations", "allowedDevices", "officeManagement"]

Commit the changes

git add .
git commit -m "Created ABAC Policy"
git push
git tag v0.0.1
git push --tags

Test the Application

Running the Application Locally

git clone git@github.com:aserto-demo/aserto-react-abac.git
POLICY_ID=<Your Policy ID>
AUTHORIZER_API_KEY=<Your Authorizer API Key>
TENANT_ID=<Your Tenant ID>
POLICY_ROOT=policyabac
AUTHORIZER_SERVICE_URL=https://authorizer.prod.aserto.com
REACT_APP_API_ORIGIN=http://localhost:8080
yarn install
yarn start:all

Deploy the Application to Netlify

Test the Policies

  • Email: euang@acmecorp.com
  • Password: V@erySecre#t123!

Summary

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store