Role-based Access Control (RBAC)

**Lewis Perin** · Nov 28 '06, 09:25 PM

Re: Role-based Access Control (RBAC)

Michael Vilain <vilain@spamcop .netwrites:

In article <pc7wt5ffv72.fs f@panix1.panix. com>,
Lewis Perin <perin@panix.co mwrote:
>

Is anyone aware of robust software, suited to a preexisting PHP
application, that handles permissions for various types of requests by
role rather than user ID? I'm speaking of maintaining/editing the
permissions and deciding on the requests, but either "half" of the
solution might be useful.

Sorry, but adopting a whole application framework is out of the question.

>
If you're running php scripts in the command line rather than on a
web-server, you might benefit from running from within RBAC (on Solaris,
no?) or sudo (close enough to have 7 alleals in common).
>
But if you're running from the web, your process runs under the web
server's UID. I fail to see how RBAC might help in that situation.

I didn't mean RBAC, the Solaris concept of fine-grained superuser
privileges; I meant RBAC, the more general concept of role-based
access control, in this case applied to the user roles, operations,
and resources within a Web-based PHP application.

What are you attempting to achieve here rather than asking about a
specific solution?

To control different types of users' (that is, users of the application
- nothing in particular to do with users known to the OS) access to
different operations on different subsets of the data under the
application's jurisdiction.

(By being this abstract, I'm not trying to be mysterious; I'm just
trying to state the problem clearly.)

/Lew
---
Lew Perin / perin@acm.org

Babelcarp has moved!

http://www.panix.com/~perin/babelcarp.html

**hmm@eh.com** · Nov 29 '06, 05:05 AM

Re: Role-based Access Control (RBAC)

In article <vilain-B598FC.14584728 112006@comcast. dca.giganews.co m>,
vilain@spamcop. net says...

To control different types of users' (that is, users of the application
- nothing in particular to do with users known to the OS) access to
different operations on different subsets of the data under the
application's jurisdiction.

>

group privileges ?

**rrymon@gmail.com** · Nov 29 '06, 05:25 AM

Re: Role-based Access Control (RBAC)

If you can somehow export the privileges (and roles, if existing)
structure to a text file, you can use Eurekify's software to analyze
it, engineer/re-engineer the roles, cleanup, check for compliance, etc.
Take a look at http://www.eurekify.com

hmm@eh.com wrote:

In article <vilain-B598FC.14584728 112006@comcast. dca.giganews.co m>,
vilain@spamcop. net says...

>
To control different types of users' (that is, users of the application
- nothing in particular to do with users known to the OS) access to
different operations on different subsets of the data under the
application's jurisdiction.

>
group privileges ?

**Lewis Perin** · Nov 29 '06, 03:15 PM

Re: Role-based Access Control (RBAC)

hmm@eh.com writes:

In article <vilain-B598FC.14584728 112006@comcast. dca.giganews.co m>,
vilain@spamcop. net says...

>
To control different types of users' (that is, users of the application
- nothing in particular to do with users known to the OS) access to
different operations on different subsets of the data under the
application's jurisdiction.

Actually, that was me.

group privileges ?

You might call it that, but please see above.

/Lew
---
Lew Perin / perin@acm.org

Babelcarp has moved!

http://www.panix.com/~perin/babelcarp.html

**Lewis Perin** · Nov 29 '06, 09:25 PM

Re: Role-based Access Control (RBAC)

Lewis Perin <perin@panix.co mwrites:

Is anyone aware of robust software, suited to a preexisting PHP
application, that handles permissions for various types of requests by
role rather than user ID? I'm speaking of maintaining/editing the
permissions and deciding on the requests, but either "half" of the
solution might be useful.
>
Sorry, but adopting a whole application framework is out of the question.

Cringing about following up my own post, I wonder if anyone out there
can talk from experience about using LiveUser?

/Lew
---
Lew Perin / perin@acm.org

Babelcarp has moved!

http://www.panix.com/~perin/babelcarp.html

Role-based Access Control (RBAC)

Role-based Access Control (RBAC)

Comment

Comment

Comment

Comment

Comment