Scribd
Upload
688 views29 pages

Authentication and Authorization in PHP: Role-Based Access Control

This document discusses role-based access control (RBAC) and how to implement it in PHP. It defines RBAC as a method of granting access based on a user's role and responsibilities. The key aspects are that it works at the role level rather than individual permissions, and does not have the concept of protected resources like access control lists. The document provides an example RBAC model and explains the advantages of RBAC in aligning with organizational structures and security principles. Potential disadvantages are that roles, users and permissions need documentation and users can acquire too many privileges. To mitigate issues, the document recommends conducting regular audits and reviewing access when user roles change. Lastly, it previews how to implement RBAC using PHP.

Uploaded by

marcelo.cunha.ti3163
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
688 views29 pages

Authentication and Authorization in PHP: Role-Based Access Control

This document discusses role-based access control (RBAC) and how to implement it in PHP. It defines RBAC as a method of granting access based on a user's role and responsibilities. The key aspects are that it works at the role level rather than individual permissions, and does not have the concept of protected resources like access control lists. The document provides an example RBAC model and explains the advantages of RBAC in aligning with organizational structures and security principles. Potential disadvantages are that roles, users and permissions need documentation and users can acquire too many privileges. To mitigate issues, the document recommends conducting regular audits and reviewing access when user roles change. Lastly, it previews how to implement RBAC using PHP.

Uploaded by

marcelo.cunha.ti3163
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 29

Authentication and Authorization in PHP

ROLE-BASED ACCESS CONTROL

Matthew Setter
PHP SECURITY ENGINEER
@settermjd matthewsetter.com
Module Overview
– Learn about Role-based Access Control
– What it is
– How it works
– Its advantages and disadvantages
– How to implement it in PHP
What is Role-based Access Control?
“Role-Based Access Control, or RBAC, provides
web application security administrators with the
ability to determine who can perform what
actions, when, from where, in what order, and in
some cases under what relational
circumstances. In Role-Based Access Control,
access decisions are based on an individual's
roles and responsibilities within the organization
or user base.”
Role-based Access Control - OWASP
“RBAC can be used to facilitate
administration of security in large
organizations with hundreds of
users and thousands of
permissions, such as those in the
Fortune 500 companies.”
Role-based Access Control - Wikipedia
Differences to Access Control Lists

1. Works at the role level


“An access control list could be used for
granting or denying write access to a particular
system file, but it would not dictate how that
file could be changed. However, in an RBAC-
based system, an operation might be to ‘create
a credit account transaction in a financial
application’ or to ‘populate a blood sugar level
test’ record in a medical application.”
Wikipedia
Differences to Access Control Lists

1. Works at the role level


2. Doesn't have the concept of a resource
network scans remove users
access audits
add users
run reports
update users
search users

change passwords suspend users

check profiles
A Theoretical Model

Users Roles Permissions

IT change
search suspend
user
users user
password

Security Helpdesk
Manager add update delete
user user user
Jane Michael

Helpdesk
Operator
A Theoretical Model

IT

change
search suspend
user
users user
password
Security Helpdesk
Manager
Jane Michael
add update delete
user user user

Helpdesk
Operator
A Theoretical Model

IT
add
user

Security Helpdesk update


Manager user

Jane Michael delete


Helpdesk user
Operator

change
search suspend
user
users user
password
A Theoretical Model

IT
add
user

Security Helpdesk update


Manager user

Jane Michael delete


Helpdesk user
Operator

change
search suspend
user
users user
password
A Theoretical Model

IT
add
user

Security Helpdesk update


Manager user
Jane

delete
Helpdesk user
Operator

Michael change
search suspend
user
users user
password
A Theoretical Model

IT
add
user

Security Helpdesk update


Manager user
Jane

delete
Helpdesk user
Operator

Michael change
search suspend
user
users user
password
A Theoretical Model

IT
add
user

Security Helpdesk update


Manager user
Jane

delete
Helpdesk user
Operator

Michael change
search suspend
user
users user
password
Quick Recap

– Role-based Access Control essentials


– How RBAC is different to ACL
– Saw a theoretical RBAC model
Up Next:
Advantages and Disadvantages
Advantages and Disadvantages
Advantages

– Roles are assigned based on org structure


– Aligns with security principles
– Easier to use and administer than ACLs
A Theoretical Model

IT
add
user

Security Helpdesk update


Manager user
Jane

delete
Helpdesk user
Operator

Michael change
search suspend
user
users user
password
Disadvantages

– Users, roles, and permissions need to be


well documented
– Users can acquire too many privileges
How to Mitigate RBACs Disadvantages

Conduct Regular Audits Review Access as


Users Change Roles
Quick Recap

– Advantages and disadvantages


– How to mitigate some disadvantages
Up Next:
Implement Role-based Access Control in PHP
Implement Role-based Access Control in PHP
Module Recap
Module Recap
– Learned about Role-based Access Control
– What it is
– How it works
– Advantages and disadvantages
– How to implement it in PHP
Up Next:
JSON Web Tokens

You might also like