Skip to content

santos-j/labac

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Label Based Access Control (LaBAC)

What is LaBAC?

LaBAC is a simplified type of Attribute Based Access Control (ABAC). Where in ABAC there can be many attributes, in LaBAC there is only one attribute associated with object (named object-label) and one attribute associated with User (called user-label). As this access Control is based on label, I call it Label Based Access Control or LaBAC.

Label Hierarchy:

User-Label Hierarchy: As mention, we attach label on user and object. Label value can have hierarchy. For example, lets assume for a user, user-label is his position (you can say role as used RBAC) in the organization. So, possible uesr-label values are : {manager, employee, stuff}. As you can guess, a user labeled with 'employee' has all the acccess of a user labeled with 'stuff' and a user labeled with 'manager' has all the access for a user labeled with 'employee'. This explains user hierarchy. In this context label 'manager' dominates label 'employee' and 'employee' dominates 'stuff'

Object-label Hierarchy: Similarly to the user-label, objects can have label (otherwise said attribute) attached to it. For example, object label can be 'secret', 'confidential' and 'public'. Lets assume both 'secret' & 'condifential' dominate 'public'. What it means anyone who can access object labeled with 'secret' can also access object labeled with 'public'. Also, anyone who can access object labeled with 'confidential' can also access object labeled with 'public'

Policy: A policy say user with which label can access object with which label. One example, ('employee', read, 'confidential') means that users with label employee can read object with label confidential. Using object-label hierarchy reading object labeled with 'confidential' means also reading object labeled with 'public'.

Similarly, using user-label hierarchy, as 'manager' dominates 'employee', 'manager' should also be able to read object labeled with 'confidential' and 'public'

How to use this package?

In order to use labac, we need a configuration object, that capture user-label hierarchy, object-label hierarchy and policy. This configuration object is then Feed into the 'LBAC' object.

using previous example,

our user_labels are = ['manager', 'employee', 'stuff'] , manager dominate employee, employee dominate stuff. this user label hierarchy is captured as following list :

conf = Configuration()

user_hierarchy = [ ("manager",["employee"], ("employee",["stuff"]) ]

object_hierarchy = [ ("secret", ["public"]), ("confidential",["public"]) ]

conf.object_label_hierarchy = user_hierarchy

conf.user_label_hierarchy = object_hierarchy

conf.add_policy("read",[ ("confidential","employee" ) ] )

To see working script, check the test_simple_case() inside test.py

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Python 100.0%