Reading: Access Control (ACL)
Review, Research, and Discussion
- When is Basic Authorization used vs. Bearer Authorization?
- Basic Authorization
- The use case for this are integration with reporting tools like PowerBI and Tableau.
- Bearer Authorization
- It is the recommended Authentication methods whenever possible. It is ideal when scripting, when developing external app or when doing integration with external tools.
-
For further information clicks =>here
- Basic Authorization
- What does the JSON Web Token package do?
- Usend information that can be verified and trusted by means of a digital signature. It comprises a compact and URL-safe JSON object, which is cryptographically signed to verify its authenticity, and which can also be encrypted if the payload contains sensitive information.
-
For further information clicks =>here
- What considerations should we make when creating and storing a SECRET?
- Never store unencrypted secrets in .git repositories
- Avoid git add * commands on git
- Add sensitive files in .gitignore
- Don’t rely on code reviews to discover secrets
- Use automated secrets scanning on repositories
- Don’t share your secrets unencrypted in messaging systems like slack
- Store secrets safely
- Use encryption to store secrets within .git repositories
- Use environment variables
- Use “Secrets as a service” solutions
- Restrict API access and permissions
- Default to minimal permission scope for APIs
- Whitelist IP addresses where appropriate
- Use short-lived secrets
-
For further information clicks =>here
- Never store unencrypted secrets in .git repositories
Vocabulary
- encryption
- is the method by which information is converted into secret code that hides the information’s true meaning. The science of encrypting and decrypting information is called cryptography.
-
For further information clicks =>here
- token
- is a piece of a two-factor authentication security device that may be used to authorize the use of computer services.
-
For further information clicks =>here
- bearer
- s an opaque string, not intended to have any meaning to clients using it. Some servers will issue tokens that are a short string of hexadecimal characters, while others may use structured tokens such as JSON Web Tokens.
-
For further information clicks =>here
- secret
- is private to you which means you will never reveal that to the public or inject inside the JWT token
-
For further information clicks =>here
- JSON Web Token
- is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
-
For further information clicks =>here
Preparation
- RBAC
- What is RBAC?
- Role-based access control (RBAC) is a policy-neutral access-control mechanism defined around roles and privileges. The components of RBAC such as role-permissions, user-role and role-role relationships make it simple to perform user assignments. A study by NIST has demonstrated that RBAC addresses many needs of commercial and government organizations.[5] RBAC can be used to facilitate administration of security in large organizations with hundreds of users and thousands of permissions. Although RBAC is different from MAC and DAC access control frameworks, it can enforce these policies without any complication.
- Benefits of RBAC??
- the assignment of access rights becomes systematic and repeatable.
- it is much easier to audit user rights, and to correct any issues identified.
- it can in reality be easy to implement, and will make the ongoing management of access rights much easier and more secure.
- RBAC implementation
- Inventory your systems
- Figure out what resources you have for which you need to control access, if you don’t already have them listed. Examples would include an email system, customer database, contact management system, major folders on a file server, etc.
- Analyze your workforce and create roles
- You need to group your workforce members into roles with common access needs. Avoid the temptation to have too many roles defined. Keep them as simple and stratified as possible.
- Assign people to roles
- Now that you have a list of roles and their access rights, figure out which role(s) each employee belongs in, and set their access accordingly.
- Never make one-off changes
- Resist any temptation to make a one-off change for an employee with unusual needs. If you begin doing this, your RBAC system will quickly begin to unravel. Change the roles as required or add new ones when really necessary.
- Audit
- Periodically review your roles, the employees assigned to them, and the access permitted for each. If you discover, for example, that a role has unnecessary access to a particular system, change the role and adjust the access level for all employees in that role.
- Inventory your systems
-
For further information clicks =>here
- What is RBAC?
| Read | Title | ToGo |
|---|---|---|
| Read: 01 | Pre-Work - Code 401: Advanced Javascript Development |  |
| Read: 02 | Readings: Express | |
| Read: 03 | Readings: Express REST API | |
| Read: 04 | Readings: Data Modeling | |
| Read: 06 | Readings: Authentication | |
| Read: 07 | Reading: Bearer Authorization | |
| Read: 08 | Reading: Access Control (ACL) | |
| Read: 09 | Reading: OAuth 2 | |
| Read: 11 | Readings: Event Driven Applications | |
| Read: 12 | Readings: Socket.io | |
| Read: 13 | Readings: Message Queues | |
| Read: 14 | Readings: Event Driven Architecture | |
| Read: 16 | Readings: AWS: Cloud Servers | |
| Read: 17 | Readings: AWS: S3 and Lambda | |
| Read: 18 | Readings: AWS: API, Dynamo and Lambda | |
| Read: 18 | Readings: AWS: Events | |
| Read: 26 | Reading: Component Based UI | |
| Read: 27 | Reading: Props and State | |
| Read: 28 | Readings: Component Composition | |
| Read: 29 | Readings: Routing | |
| Read: 31 | Reading: Hooks API | |
| Read: 32 | Reading: Custom Hooks | |
| Read: 33 | Reading: Context API | |
| Read: 34 | Reading: <Login /> and <Auth /> |
|
| Read: 36 | Reading: Application State with Redux | |
| Read: 37 | Readings: Redux - Combined Reducers | |
| Read: 38 | Readings: Redux - Asynchronous Actions | |
| Read: 39 | Readings: Redux - Additional Topics | |