Add outline for Authorization Cheat Sheet #401
Conversation
|
Title and headers for the document should be concise and on point. No need to describe a whole point in a title. |
|
|
||
| Since, depending on context, the user probably should not be able to access all resources of type X, but only those are own or are otherwise privileged to perform operations on. That is, a simple role check may not be sufficient for all use cases; i.e. a user with role "customer" should not be able to access all "account" objects based on their role as a customer, but only their own account. Could perhaps be merged with recommendation on Feature/Attribute Based Access Control above? | ||
|
|
||
| ### Ensure Lookup IDs are Not Accessible Even When Guessed or Cannot Be Tampered With |
ThunderSon
Jun 1, 2020
•
Contributor
Be sure to discuss that this might not be something that they would need. Sometimes users need to be able to find other users, or to have a certain pattern. e.g. forums, social apps, etc.
So it is important to mention in a small bit that based on the threat model (Banking app, accounts, admin profiles, locations, etc.) should follow stringent controls from obfuscating the ID to implementing strong controls on them.
Be sure to discuss that this might not be something that they would need. Sometimes users need to be able to find other users, or to have a certain pattern. e.g. forums, social apps, etc.
So it is important to mention in a small bit that based on the threat model (Banking app, accounts, admin profiles, locations, etc.) should follow stringent controls from obfuscating the ID to implementing strong controls on them.
|
This looks like a good outline, and certainly an improvement on the legacy CS. A few thoughts on stuff to add
|
|
|
||
| ## Introduction | ||
|
|
||
| Focus on definition and distinguishing it from authentication. Perhaps explore types of privilege escalation (horizontal and vertical). Not sure if we should briefly explore the different access control models (RBAC, MAC, DAC, etc) or just leave it out? |
rbsec
Jun 1, 2020
Contributor
I think that introducing MAC is just adding complication - it's not relevant to 99% of developers.
I think that introducing MAC is just adding complication - it's not relevant to 99% of developers.
ThunderSon
Jun 1, 2020
Contributor
I am definitely against describing them. Maybe mention Access Controls in the references section, since in no way is this going to make it "intriguing" and actionable if we mention non-relevant stuff to the CS.
I am definitely against describing them. Maybe mention Access Controls in the references section, since in no way is this going to make it "intriguing" and actionable if we mention non-relevant stuff to the CS.
* Removed excess headings and added 3 new ones. * Renamed/shortened headers. * Adjusted some comments/paragraphs in accordance with feedback.
|
Thanks much for all the excellent feedback. I believe I have incorporated the feedback with the exception of single-tenant vs multi-tenant applications considerations. Is this something we want to create a dedicated subsection for or discuss where applicable in other sections? |
|
LGTM |
|
Looks good to me! |
This PR covers issue #394