blob: b052ea8a9427edae4b8b5738d2aa951393af8b6c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
# Authz
## Access Control Models
Access Controls provide a means of restricting access to objects based on the
identity of subjects and/or groups to which they belong.
* Role-Based Access Control ([RBAC](./RBAC.md))
* Relationship-Based Access Control ([ReBAC](./ReBAC.md))
* Attribute-Based Access Control ([ABAC](./ABAC.md))
## Policy
* [What is a policy?](./POLICY.md)
* Policy Language Evaluation
* Zanzibar
* [Dafny](https://dafny.org/)
* Cedar
* Casbin
Criteria for evaluating policy languages:
* Must be able to model different types of access control models (RBAC, ReBAC, ABAC)
* Must be able to perform static analysis
* Must be actively supported
* Must have concise documentation
* Must provide ability to extend language using Ruby/Golang for describing complex policies.
* Must have a compatible license that permits the way that we can use it.
Ideally, we must be able to model the following relationships:
| type | required |
| ---- | -------- |
| `user-to-resource` | required |
| `resource-to-resource` | required |
| `user-to-user` | not required |
Note: `user-to-user` relationships are not in the current access control model.
|
