Zum Hauptinhalt springen

PBAC

What is the PBAC model?

PBAC stands for Policy-Based Access Control. It is a flexible access control model that makes authorization decisions based on policies defined as rules. Unlike traditional access control models that rely on static roles or attributes, PBAC allows for dynamic, rule-based authorization that can evaluate complex conditions using the eval() function.

In PBAC, access decisions are made by evaluating policies that can include:

  • Dynamic Rules: Policies that evaluate expressions at runtime
  • Complex Logic: Support for boolean operations, comparisons, and attribute-based conditions
  • Contextual Information: User attributes, resource properties, and environmental factors
  • Business Rules: Domain-specific authorization logic that reflects organizational policies

PBAC Model Definition

Here's the PBAC model configuration:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub_rule, obj_rule, act

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = eval(p.sub_rule) && eval(p.obj_rule) && r.act == p.act

In this model:

  • p.sub_rule contains the subject rule to be evaluated (e.g., r.sub.Age >= 18)
  • p.obj_rule contains the object rule to be evaluated (e.g., r.obj.Level >= 1)
  • eval() function evaluates the policy rules dynamically against the request

Policy and Request Examples

Basic Policy

Policy:

p, r.sub.Age >= 18, r.obj.Level >= 1, play

Request Examples:

{"Age":25}, {"Level":2}, play    # ALLOWED (Age >= 18 and Level >= 1)
{"Age":16}, {"Level":2}, play    # DENIED (Age < 18)
{"Age":20}, {"Level":0}, play    # DENIED (Level < 1)
{"Age":25}, {"Level":2}, read    # DENIED (action doesn't match policy)

Complex Policy

Policy:

p, r.sub.Department == "IT" && r.sub.Level >= 3, r.obj.Confidential == false, read

Request Examples:

{"Department":"IT","Level":3}, {"Confidential":false}, read    # ALLOWED
{"Department":"IT","Level":2}, {"Confidential":false}, read    # DENIED (Level < 3)
{"Department":"HR","Level":3}, {"Confidential":false}, read    # DENIED (Department != "IT")
{"Department":"IT","Level":3}, {"Confidential":true}, read     # DENIED (Confidential == true)

Code Example:

e, _ := NewEnforcer("examples/pbac_model.conf", "examples/pbac_policy.csv")

// Enable JSON request support
e.EnableAcceptJsonRequest(true)

// Define subject and object with attributes
subject := `{"Department": "IT", "Level": 3}`
object := `{"Confidential": false}`
action := "read"

// Check permission
ok, _ := e.Enforce(subject, object, action)
if ok {
    fmt.Println("Permission granted")
} else {
    fmt.Println("Permission denied")
}