Role != Permission

We use Kasai for security on some applications at work now. I was responsible for the choice of Kasai and I recognize that it has some serious problems, in fact, I have a kind of love/hate relationship with it because of the way it is written and maintained. However, before I do an entry complaining about it, let me talk about why I love it and why most people don’t seem to understand some aspects of security.
Let me say it simply. Roles are not equal to permissions. Way too many systems (like Tomcat) and way too many people I’ve worked with treat roles as though they were a valid form of permission control rather than a way to simplify permission grouping. Kasai does this correctly. It treats permissions as though they were the low level access controls that they should be. Every thing you want to control access to, perhaps down to the page or function call level, can each be a separate permission. Because that many permissions can quickly become unweildy they allow for permission groups and roles to group permissions at higher and higher levels of abstraction.
Let’s take a real world analogy for an example. Let’s say you had a business where you had a lot of cabinets to which you needed to control access. If you did things they way most people do you’d try to do that with as few keys as possible, one key handles the first five cabinets, the blue one is only for special cabinet ‘A’, etc. Then, if you suddenly have to shuffle around the contents of the cabinets or add somebody new who you only want to open some subset of cabinets for which no key combination exists, you are in a world of hurt because you may end up having to change the locks on each cabinet and get a whole new set of keys.
That’s what most people do when it comes to using roles with security. They try to boil down security to a couple of keys which open a lot of locks. They create Admin, Editor, and User roles and “hope” that it will all work out. Then they code up their application (web or otherwise) to check for those roles and in effect, code the security into their application. If somebody comes along who needs to cross over a couple of roles (i.e. James is just a regular user in most respects but we trust him to review newly added forum posts to filter out the junk so he’s like an editor in just that one respect) then you end up creating an all new role just for that one flavor of user (and modifying all affected pages), eventually, if carried far enough for enough users, roles become finer and finer grained and can approach being individual permissions again. Except that you won’t have any roles or other higher level abstraction to group those permissions for easier application to the majority of users who aren’t exceptions and fall nicely into the easy partitions you wanted in the first place. Every user will have to have 20 different “roles” to be able to function.
What you would ideally do is put a different lock on each of your cabinets and have a different key for each lock. Then, even if you rearrange the contents of the cabinets you can just collect all the keys and hand them back out again in the new combinations and your security is restored. Your cabinets didn’t have to be modified and the only problem, at least in real life, is the proliferation of tons of keys to deal with. And in the computer world, we can use abstractions like roles and groups to gather together the most common arrangements of “keys” (permissions) that we will be applying to the majority of users.
Get yourself a real security system which has at least permissions and groups. Use permissions in a fine grained way to control access to individual functions. Use the higher level abstraction(s) to group the fine grained permissions into easy to apply units because most of your users will fall into easy to label categories. If you don’t do this right though, it’s the exceptions which will eat your lunch.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s