Icon View Thread

The following is the text of the current message along with any replies.
Messages 1 to 5 of 5 total
Thread Role Based Access Control (RBAC): a few how-to questions...
Fri, Oct 1 2021 9:38 AMPermanent Link

Bruno Larochelle

Good day EWB colleagues!

I'm trying to go a little bit further in my understanding of controlling database access using RBAC in EWB3.

I have some experience with granting privileges to users using DBISAM server, and MySQL server, so the concepts are not totally foreign to me.

In both DBISAM and MySQL, I can assign specific privileges on a specific database to a specific user. For example, "read" and "update" rights can be assigned to "bob" on the "fishfacts" database.

I'm trying to make parallels with these concepts on the EWB3 server, but have not grasped it completely yet:

1. I understand how to create and assign roles to the users, and how to assign privileges to the roles. The part that I'm not understanding here: how do I specify the database(s) that I'm referring to when assigning the privileges?

2. I have explored the Server > Database and the Server > Database > Commands objects, noticing that I can assign a "privilege" there. But those don't appear to be the same privileges as in the item above. And I can only select a single "privilege".

Anyone cracked through this? Or maybe a simple example would help?


Thanks
Mon, Nov 29 2021 7:25 AMPermanent Link

Tim Young [Elevate Software]

Elevate Software, Inc.

Avatar

Email timyoung@elevatesoft.com

Bruno,

<< I'm trying to make parallels with these concepts on the EWB3 server, but have not grasped it completely yet:

1. I understand how to create and assign roles to the users, and how to assign privileges to the roles. The part that I'm not understanding here: how do I specify the database(s) that I'm referring to when assigning the privileges? >>

What you do is this:

1) Create the privileges that you wish to use.  You can get as creative as you want here, it's wide open.  You can have separate privileges for separate databases, or share privileges across databases.

2) Assign those privileges to the databases/dataset commands that you want to secure.  Datasets don't have privileges - their "visibility" is determined by whether the dataset's "select" command can be executed.  Likewise, their "read-only" status is determined by whether the dataset's "insert", "update", or "delete" commands can be executed.  You can, effectively, design a setup where a specific dataset can only be inserted into, for example.

3) Assign the privileges to roles, and then those roles to users, and you're all set.

Tim Young
Elevate Software
www.elevatesoft.com
Wed, Dec 1 2021 9:52 PMPermanent Link

Bruno Larochelle

Thanks Tim,

Just to test this out and get the concept clear in my mind, I created three (new) privileges, one for my test DB access privilege, and two for the INSERT and UPDATE SQL commands on my test dataset. Then I created a couple of different roles, assigned the privileges to those roles, and assigned those roles to a couple of users. Finally, I tested the functionality, and it worked as expected! And now, if I have understood this properly, I also understand how this mechanism can be very flexible. Yay!

I do have a question though, or a request to confirm my understanding. The 60+ pre-defined privileges... these are quite simply convenient names that I can use, right? I initially thought these had some defined behaviour, but when I try to edit/inspect one of these privileges, I notice that there is no way to inspect or edit the behaviour, just a name/description. Along the same lines, when I define a new privilege, I simply supply the name/description. The core of the mechanism depends on the assignment of the DB access privilege and the dataset SQL execute privileges. Sorry for the long description, but this is correct, yeah?

Regards, Bruno


Tim Young [Elevate Software] wrote:

Bruno,

<< I'm trying to make parallels with these concepts on the EWB3 server, but have not grasped it completely yet:

1. I understand how to create and assign roles to the users, and how to assign privileges to the roles. The part that I'm not understanding here: how do I specify the database(s) that I'm referring to when assigning the privileges? >>

What you do is this:

1) Create the privileges that you wish to use.  You can get as creative as you want here, it's wide open.  You can have separate privileges for separate databases, or share privileges across databases.

2) Assign those privileges to the databases/dataset commands that you want to secure.  Datasets don't have privileges - their "visibility" is determined by whether the dataset's "select" command can be executed.  Likewise, their "read-only" status is determined by whether the dataset's "insert", "update", or "delete" commands can be executed.  You can, effectively, design a setup where a specific dataset can only be inserted into, for example.

3) Assign the privileges to roles, and then those roles to users, and you're all set.

Tim Young
Elevate Software
www.elevatesoft.com
Thu, Dec 2 2021 6:58 AMPermanent Link

Tim Young [Elevate Software]

Elevate Software, Inc.

Avatar

Email timyoung@elevatesoft.com

Bruno,

<< I do have a question though, or a request to confirm my understanding. The 60+ pre-defined privileges... these are quite simply convenient names that I can use, right? >>

No, they have a pre-determined usage that corresponds to their description, and that usage is described here in the manual:

https://www.elevatesoft.com/manual?action=viewtopic&id=ewb3&topic=Server_Security

For example, if you are logged in as an administrator (member of the "Administrators" role) and remove the "UpdateDataSet" privilege from the "Administrators" role, you'll notice that you immediately can no longer edit a dataset in the IDE (nor via the Update DataSet administration API call).

<< Along the same lines, when I define a new privilege, I simply supply the name/description. The core of the mechanism depends on the assignment of the DB access privilege and the dataset SQL execute privileges. Sorry for the long description, but this is correct, yeah? >>

Yes, that is 100% correct.  So, you can choose to set up the roles/privileges in any combination that you wish that accomplishes your goals.  My only specific advice is that I would stay away from deleting any built-in privileges, and be careful about removing privileges from the Administrators role, lest you find yourself locked out  or unable to administer some portion of the web server. Smile However, you can't delete privileges/roles that are currently referenced by another server object, so it's really hard to do it by accident.

Hope that helps,

Tim Young
Elevate Software
www.elevatesoft.com
Thu, Dec 2 2021 8:49 AMPermanent Link

Bruno Larochelle

Thanks Tim, that completes the picture for me now! Smile

.. Bruno

Tim Young [Elevate Software] wrote:

Bruno,

<< I do have a question though, or a request to confirm my understanding. The 60+ pre-defined privileges... these are quite simply convenient names that I can use, right? >>

No, they have a pre-determined usage that corresponds to their description, and that usage is described here in the manual:

https://www.elevatesoft.com/manual?action=viewtopic&id=ewb3&topic=Server_Security

For example, if you are logged in as an administrator (member of the "Administrators" role) and remove the "UpdateDataSet" privilege from the "Administrators" role, you'll notice that you immediately can no longer edit a dataset in the IDE (nor via the Update DataSet administration API call).

<< Along the same lines, when I define a new privilege, I simply supply the name/description. The core of the mechanism depends on the assignment of the DB access privilege and the dataset SQL execute privileges. Sorry for the long description, but this is correct, yeah? >>

Yes, that is 100% correct.  So, you can choose to set up the roles/privileges in any combination that you wish that accomplishes your goals.  My only specific advice is that I would stay away from deleting any built-in privileges, and be careful about removing privileges from the Administrators role, lest you find yourself locked out  or unable to administer some portion of the web server. Smile However, you can't delete privileges/roles that are currently referenced by another server object, so it's really hard to do it by accident.

Hope that helps,

Tim Young
Elevate Software
www.elevatesoft.com
Image