XACML ABAC with OData, HATEOAS

[Vaevictus]

Hello,

I was wondering if anyone had any experience on integrating the XACML reference architecture with OData controllers?

I can imagine for individual records returned from OData that authorising access would be trivial, but has anyone has had any luck in translating xacml policy into a filter that that could be applied to the generated SQL in conjunction with the SQL that the queryoptions ultimately generates? I am thinking for when multiple records are requested through $filter that an additional filter can filter out non-authorised results at the SQL layer.

In the same area, can OData return metadata about an object that can be used by the consuming application (that can drive the GUI state for that specific record? Making a Richardson Level 3 maturity model? My goal would be that XACML policy could be used to generate this metadata, so that the GUI could have appropriate controls enabled / disabled / visible etc. based on this metadata. I am referring to a concept explained here: https://martinfowler.com/articles/richardsonMaturityModel.html

Cheers,

[bbatchelder]

I am on a similar quest, and so far all I have come up with are Global Query Filters.

If you override OnModelCreating in your DbContext class, you can create global filters like this:

modelBuilder.Entity<MyEntity>.HasQueryFilter(filter=>filter.TenantId == currentTenant);

Then either add a public method that lets you SetTenant(int tenantId) or inject some service that is responsible for handling that data, and now every time an oData query is executed for the MyEntity type (even for expansions via Navigation Properties) this underlying filter will always be applied.

This example for a multi-tenant app is pretty simple (especially if every entity has a TenantId column/property) - but for something more complex like CasBin or XACML, you'd have to try and find a way to translate the policies into expressions. Or expand the policies into "entitlements" - like "for entity X what entities is this user entitled to view?" and then to an IN operation at the DB level. Or if the list of entitlements is the same as the list of all entities, then short circuit to a no-op filter (1=1, etc)