A project I’m working on requires a more complex auth system, and I’m hitting a wall. I was hoping some of you with RBAC experience could advise me how to debug a problem I’m having or make suggestions about how I could improve my model.
I have four questions :
I’ve developed a custom function ( WebUser::checkConditionalAccess() ) to validate a bizrule, which I’ve verified is validating positive, but the RBAC system (calling that bizrule) is validating negative. I can’t figure out where / how to begin debugging this.
I noticed that the RBAC system was trying to validate irrelevant Tasks, which aren’t substantiated by Tasks I’ve included in my Role definitions. Sometimes it does a recursive validation, and sometimes that recursive validation doesn’t include the tasks I’ve defined. I’m not sure how it decides which one it’s going to use to validate, if it’s a bug, or if I’m doing something wrong.
I’ve defined my bizrules at the Task level, and wonder if it might be better to move them to the Role level. Is this even possible? I’d love eliminate redundancy at the Task level.
If I set the bizRule to “return 1” at the Role level, I’m getting an error. In some cases, this is happening at the Task level. What’s maddening is that I can’t figure out where to debug this. I’ve tried going into the framework with no success. Any ideas…
See below for supporting info and code samples…
The RBAC system
Here’s how I’ve implemented this in the RBAC system:
I’ve defined a slew of operations, such as:
$operations = array( 'viewApplication' => 'view barebones aspects of an application', 'viewApplicationEssays' => 'view sensitive personal aspects of an application', 'viewApplicationMedical' => 'view sensitive medical aspects of an application', 'viewApplicationFA' => 'view whether applying for financial assistance', 'viewApplicationFADetails' => 'view sensitive details of financial assistance application', ... );
[/i]I’ve organized the operations into tasks based on the sphere (global, regional, etc.), and defined a bizrule to validate that the person is in the right sphere to access the info. For example, here’s a snippet:
$tasks = array ( 'viewApplicationAdmin_location' => array( 'bizRule' => 'return Yii::app()->user->checkConditionalAccess("viewApplicationAdmin","location",$params);', 'description' => 'Restricted to Location: view admin aspects of application', 'children' => array( 'viewApplication', 'viewProgram', 'viewApplicationBenefits', 'viewApplicationFA', ), ), 'viewApplicationAdmin_region' => array( 'bizRule' => 'return Yii::app()->user->checkConditionalAccess("viewApplicationAdmin","region",$params);', 'description' => 'Restricted to Region: view admin aspects of application', 'children' => array( 'viewApplication', 'viewProgram', 'viewApplicationBenefits', 'viewApplicationFA', ), ), 'viewApplicationAdmin_program' => array( 'bizRule' => 'return Yii::app()->user->checkConditionalAccess("viewApplicationAdmin","program",$params);', 'description' => 'Restricted to Program: view admin aspects of application', 'children' => array( 'viewApplication', 'viewProgram', ), ), .... );
The bizrule (see Question 1 above) does a verification through a custom function ( WebUser::checkConditionalAccess() ), which determines whether the user is a member of the correct sphere (Region, Location, etc.) that owns the Program. It sends the current model via $params, for the WebUser::checkConditionalAccess() function to use.
Finally, Roles determined whether the person’s role (in the validated sphere) should have access to sensitive data:
$roles = array ( 'ope_region' => array( 'description'=>'a member of a regional OPE group', 'children' => array( 'applicant', 'viewAdmin', 'viewApplicationAdmin_region', 'viewApplicationEssays_region', 'viewApplicationMedical_region', 'viewApplicationFinancial_region', ... ), ), ... );
As for Question 2 (above), notice how all the roles defined here end in "_region". What I found debugging is that the RBAC system was searching for roles ending in "_location". Perhaps the solution is my 3rd question — which is to define the bizrule at the role level?
Then from the view I make calls like this to verify authorization:
Quick system overview
My system manages the application process for programs held at locations around the world. Applications contain sensitive data, which need to be provided on a need-to-know basis. It provides authorizations for 4 levels of users, working in different spheres:
[list=1]GlobalRegional (contained by global)Locational (contained within regions)Program (which happen at a location)[/list]Each sphere has varying sets of access restrictions to sensitive data. So the idea is that a finance officer working at Location A can view the financial information for any application at Location A ( but not at Location B ) and non-finance officers at Location A can’t see the sensitive financial info.
Please let me know if more code would help. And thanks for any help in advance.