Pular para o conteúdo principal

PBAC

What is the PBAC model?

PBAC (Policy-Based Access Control) is a flexible access control model that evaluates authorization based on rules defined in policies. Unlike static role-based or attribute-based models, PBAC evaluates complex conditions dynamically at runtime using the eval() function.

PBAC policies can include:

  • Dynamic Rules: Expressions evaluated at runtime
  • Complex Logic: Boolean operations, comparisons, and attribute-based conditions
  • Contextual Information: User attributes, resource properties, and environmental factors
  • Business Rules: Domain-specific authorization logic reflecting organizational policies

PBAC Model Definition

The PBAC model configuration:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub_rule, obj_rule, act

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = eval(p.sub_rule) && eval(p.obj_rule) && r.act == p.act

Model components:

  • p.sub_rule contains the subject rule (for example, r.sub.Age >= 18)
  • p.obj_rule contains the object rule (for example, r.obj.Level >= 1)
  • eval() evaluates policy rules dynamically against the request

Policy and Request Examples

Basic Policy

Policy:

p, r.sub.Age >= 18, r.obj.Level >= 1, play

Request Examples:

{"Age":25}, {"Level":2}, play    # ALLOWED (Age >= 18 and Level >= 1)
{"Age":16}, {"Level":2}, play    # DENIED (Age < 18)
{"Age":20}, {"Level":0}, play    # DENIED (Level < 1)
{"Age":25}, {"Level":2}, read    # DENIED (action doesn't match policy)

Complex Policy

Policy:

p, r.sub.Department == "IT" && r.sub.Level >= 3, r.obj.Confidential == false, read

Request Examples:

{"Department":"IT","Level":3}, {"Confidential":false}, read    # ALLOWED
{"Department":"IT","Level":2}, {"Confidential":false}, read    # DENIED (Level < 3)
{"Department":"HR","Level":3}, {"Confidential":false}, read    # DENIED (Department != "IT")
{"Department":"IT","Level":3}, {"Confidential":true}, read     # DENIED (Confidential == true)

Code Example:

e, _ := NewEnforcer("examples/pbac_model.conf", "examples/pbac_policy.csv")

// Enable JSON request support
e.EnableAcceptJsonRequest(true)

// Define subject and object with attributes
subject := `{"Department": "IT", "Level": 3}`
object := `{"Confidential": false}`
action := "read"

// Check permission
ok, _ := e.Enforce(subject, object, action)
if ok {
    fmt.Println("Permission granted")
} else {
    fmt.Println("Permission denied")
}