Access Control
web2py includes a powerful and customizable Role Based Access Control mechanism (RBAC).
Here is a definition from Wikipedia:
“Role-Based Access Control (RBAC) is an approach to restricting system access to authorized users. It is a newer alternative approach to mandatory access control (MAC) and discretionary access control (DAC). RBAC is sometimes referred to as role-based security.
RBAC is a policy neutral and flexible access control technology sufficiently powerful to simulate DAC and MAC. Conversely, MAC can simulate RBAC if the role graph is restricted to a tree rather than a partially ordered set.
Prior to the development of RBAC, MAC and DAC were considered to be the only known models for access control: if a model was not MAC, it was considered to be a DAC model, and vice versa. Research in the late 1990s demonstrated that RBAC falls in neither category.
Within an organization, roles are created for various job functions. The permissions to perform certain operations are assigned to specific roles. Members of staff (or other system users) are assigned particular roles, and through those role assignments acquire the permissions to perform particular system functions. Unlike context-based access control (CBAC), RBAC does not look at the message context (such as a connection’s source).
Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning appropriate roles to the user; this simplifies common operations, such as adding a user, or changing a user’s department.
RBAC differs from access control lists (ACLs) used in traditional discretionary access control systems in that it assigns permissions to specific operations with meaning in the organization, rather than to low level data objects. For example, an access control list could be used to grant or deny write access to a particular system file, but it would not dictate how that file could be changed.”
The web2py class that implements RBAC is called Auth.
Auth needs (and defines) the following tables:
auth_user
stores users’ name, email address, password, and status (registration pending, accepted, blocked)auth_group
stores groups or roles for users in a many-to-many structure. By default, each user is in its own group, but a user can be in multiple groups, and each group can contain multiple users. A group is identified by a role and a description.auth_membership
links users and groups in a many-to-many structure.auth_permission
links groups and permissions. A permission is identified by a name and, optionally, a table and a record. For example, members of a certain group can have “update” permissions on a specific record of a specific table.auth_event
logs changes in the other tables and successful access via CRUD to objects controlled by the RBAC.auth_cas
is used for Central Authentication Service (CAS). Every web2py application is a CAS provider and can optionally be a CAS consumer.
The schema is reproduced graphically in the image below:
In principle, there is no restriction on the names of the roles and the names of the permissions; the developer can create them to fix the roles and permissions in the organization. Once they have been created, web2py provides an API to check if a user is logged in, if a user is a member of a given group, and/or if the user is a member of any group that has a given required permission.
web2py also provides decorators to restrict access to any function based on login, membership and permissions.
web2py also understands some specific permissions, i.e., those that have a name that correspond to the CRUD methods (create, read, update, delete) and can enforce them automatically without the need to use decorators.
In this chapter, we are going to discuss different parts of RBAC one by one.