Page 1 of 1

Zend_Acl

Posted: Wed Sep 16, 2009 2:20 pm
by alex.barylski
I've been reading the docs for Zend_Auth mostly to determine whether a similar component in my own framework is warranted.

I'm not sure I so great value in offering an ACL object, other than providing the inheritence of roles/permissions/whatever.

If you are familiar with Zend_Acl or have implemented something similar yourself, what are some of the features I am missing out on?

Re: Zend_Acl

Posted: Wed Sep 16, 2009 3:59 pm
by Darhazer
ACL is (like) the architecture used in Windows...
You have an object (folder) and you have a user that have certain permission
The interesting thing is that both folder and user can be inherited
This means that:
User C extends B extends A
have the same privileges to folder
Cf extends Bf extends Af
as the A on Af, unless they are changed for
* Bf or Cf
and/or for
* User B or User C

In other words, you have two tree structures and some cross points between them (and one cross point can define only part of the permissions, and the other to be inherited from somewhere else).

I needed to implement such architecture, so I've looked at Zend_Acl, and then implemented on myown.

Re: Zend_Acl

Posted: Thu Sep 17, 2009 1:36 am
by Christopher
PCSpectra wrote:I've been reading the docs for Zend_Auth mostly to determine whether a similar component in my own framework is warranted.
I think the question you need to ask is whether you need the extra layer of abstraction of resources and roles that a RBAC provides. Probably a group/permission based system all you will ever need.

Re: Zend_Acl

Posted: Thu Sep 17, 2009 9:34 pm
by alex.barylski
I think the question you need to ask is whether you need the extra layer of abstraction of resources and roles that a RBAC provides. Probably a group/permission based system all you will ever need.
That is actually what I've been asking...it just seems ACL is added to the framework for the sake of 'feeling' complete or I could be totally off.

I do like the idea of storing inherited roles as objects and persisting them in session or wherever but why a framework needs to provide this functionality, is what worried me. Seems relatively trivial to me, to implement such a system in PHP.

Re: Zend_Acl

Posted: Fri Sep 18, 2009 3:39 pm
by Christopher
PCSpectra wrote:That is actually what I've been asking...it just seems ACL is added to the framework for the sake of 'feeling' complete or I could be totally off.
No ... there are cases where you need resources and roles.

Re: Zend_Acl

Posted: Fri Sep 18, 2009 7:57 pm
by alex.barylski
Would you care to clarify? Giving some examples?

Re: Zend_Acl

Posted: Tue Sep 22, 2009 3:57 pm
by josh
Seconded.. I read all the wikipedia pages related to the terms, as far as I can tell RBAC is to ACL as BDD is to TDD ( heh )

It says RBAC differs from ACL, and the examples wikipedia gives is that RBAC has role graphs and semantic permissions, both of which I can implement with Zend's ACL right?

Re: Zend_Acl

Posted: Tue Sep 22, 2009 5:58 pm
by Christopher
I think ACL and RBAC are different. An ACL just lists entities and their permissions. In an RBAC each Role has in essence an ACL attached to it. That is my understanding the difference between the two -- the extra level of abstraction. You can have the same access controls with either system. I don't think there as a capabilities difference between the many various Access Control schemes. And if you are just a guy managing a system internally then just having an ACL might be simpler for you. But if, for example, you want your users to be able to assign Roles but hide what the specific ACL associated with those Roles, then RBAC adds that abstraction.

Re: Zend_Acl

Posted: Tue Sep 22, 2009 8:27 pm
by josh
So Zend_Acl does not implement ACL, it implements RBAC? I read up from several sources on RBAC and it seems to describe exactly what I do with Zend_Acl

define resources
-resources can inherit from eachother

define permissions on said resources

define roles
-roles can inherit from each other

give roles access to permissions on resources

If it did not have "roles" it would not be an ACL?

So why is RBAC not a subset of ACL? ( just trying to understand ). What would it be called if individual users could have permissions that supersede permissions granted by their role? Something different? Is there supposed to be a different meaning implied by "group" vs "role" ? ( other then semantic meaning to the business user )

Re: Zend_Acl

Posted: Thu Sep 24, 2009 7:16 pm
by Christopher
josh wrote:If it did not have "roles" it would not be an ACL?
Yes. So an ACL to allow a user access to a file might be something like:

some_user / some_file / edit
some_user / some_file / delete

An RBAC to do the same thing might be:

some_role / some_file / edit
some_role / some_file / delete

some_user / some_role

I hope I got that right?!? ;)
josh wrote:So why is RBAC not a subset of ACL? ( just trying to understand ). What would it be called if individual users could have permissions that supersede permissions granted by their role? Something different? Is there supposed to be a different meaning implied by "group" vs "role" ? ( other then semantic meaning to the business user )
I think you mean superset, and I don't think they are super/subsets because they solve the same problem in different ways. As I said above, you can do the same Access Control with either ACL or RBAC -- the difference is how it looks to manage the system. With RBAC you can manage users without having to know anything about permissions or resources.

Re: Zend_Acl

Posted: Thu Sep 24, 2009 9:15 pm
by josh
Ok so in a system where the user uses roles but also has the capability to see the permissions in an advanced editing mode, to set overrides or exceptions to the role, would be classified as a hybrid system containing a bit of both methods?

Re: Zend_Acl

Posted: Fri Sep 25, 2009 12:13 am
by Christopher
I think it depends more on how the data is stored/represented. And, I obviously left out the allow/deny part. So I am not sure what a hybrid would be. If it has the extra level of abstraction then it is RBAC I think. You could still create an admin interface that would let you set permissions directly through the levels of RBAC abstraction. But they would still be there.

Re: Zend_Acl

Posted: Fri Sep 25, 2009 1:20 am
by josh
arborint wrote:I think it depends more on how the data is stored/represented.
Got any examples of someone that implemented it right? With the roles and ability to set permissions on individual users as well ( with allow/deny )

Zend_Acl is mislabeled under these definitions then, would you agree?

One time I had to write a script that allowed a user to select where they want their ad to run, they could add entries in the form of

World - Deny
United States - Allow
Florida - Deny
West Palm Beach - Allow

and that would have the effect of showing their ad in the just the US, but not in FL except for 1 city in FL ( W.P.B. ). What would be the technical term for this sort of system? Just a 'control list'? A rule engine? Is an ACL a rule engine? Something different? Are these terms from a patterns book or something that you know of?

I remember Fowler talking about something related one time about an algorithm to speed it up, There are several systems within Magento that work like this too.. would be interesting to read what literature is out there, if you know of any, all these concepts seem related to me

Re: Zend_Acl

Posted: Fri Sep 25, 2009 3:47 pm
by Christopher
josh wrote:Got any examples of someone that implemented it right? With the roles and ability to set permissions on individual users as well ( with allow/deny )
No ... but I have been trying to get started building a simple one for a while. It is difficult to get the essence of it though with all the conflicting names/designs around.
josh wrote:Zend_Acl is mislabeled under these definitions then, would you agree?
I don't know, because that namespace has been pretty abused. I don't know if the terms have much meaning anymore other than just generally.
josh wrote:One time I had to write a script that allowed a user to select where they want their ad to run, they could add entries in the form of

World - Deny
United States - Allow
Florida - Deny
West Palm Beach - Allow

and that would have the effect of showing their ad in the just the US, but not in FL except for 1 city in FL ( W.P.B. ). What would be the technical term for this sort of system? Just a 'control list'? A rule engine? Is an ACL a rule engine? Something different? Are these terms from a patterns book or something that you know of?
That sounds like a ACL. If you added a layer on top that where you could give a name to a set of those controls/rules then that would be RBAC I think.
josh wrote:I remember Fowler talking about something related one time about an algorithm to speed it up, There are several systems within Magento that work like this too.. would be interesting to read what literature is out there, if you know of any, all these concepts seem related to me
I will look around a little and see if there is an article or two that I think gets close to the mark on these topics.

I also wonder whether RBAC has not just become buzzword that projects use to hype their security model, whether it is truly RBAC or not, because it is well known and sounds impressive.

http://en.wikipedia.org/wiki/Computer_security_model

Looking a little further, here it the national standard for RBAC:

http://csrc.nist.gov/rbac/sandhu-ferraiolo-kuhn-00.pdf

If specifies four levels of RBAC: Flat, Hierarchical, Constrained and Symmetrical, each with additional capabilities.

Re: Zend_Acl

Posted: Sat Sep 26, 2009 9:44 pm
by josh
arborint wrote: If you added a layer on top that where you could give a name to a set of those controls/rules then that would be RBAC I think.
Yeah I guess, that's why to me it seems like they are not mutually exclusive... in fact in this system the user had check boxes similar to a "check all" button, for instance "check all of USA", "uncheck all USA", "check whole world"... so I guess that makes it technically RBAC even though the individual permissions got stored? Don't know... Yeah seems like more of a buzz word to me, I mean I see the difference but it seems like most of the differences were historical, most of the systems I have seen take a little bit of ideas from all over, like the ability to choose roles but also drill in and override those roles, so the admin could choose wether to edit permissions in ACL / RBAC "mode" I guess ( but kinda at the same time ).

Maybe after reading the articles I will understand better.. Thanks From skimming Zend_Acl could be Zend_Rbac because it technically implements "level 2", but I still disagree that they aren't mutually exclusive, like even the language to describe it is "adds abstraction", and if you notice in their spec each rbac level adds more abstraction as well, so I think they are all kind of one in the same, the different concepts seem to add more requirements as the "level" goes up, but the same underlying capabilities remain at each "level" of access control.. for instance level4 is the same as level 3 except that level 4 supports "separation of duties" ( what I'm saying is to me conceptually RBAC is ACL + an extra feature, like to me RBAC is ACL, but not the other way around, and the same could be said about each level of RBAC, that RBAC 2 is RBAC 1 except that it adds role inheritence. ) For example a business user could use 1:1 relationships between roles and users and he would be "implementing" ACL ( or the system could allow overriding permissions on the individual user to avoid creating the pointless role when fine grained control is needed )