1

I tried to understand RBAC in order to determine if it is a good solution for our problem.

Let say that the context is a bank. Among the several actors, we have account managers and clients.

I think I have understand RBAC for the account manager. If we imagine Account Managers can create, modify, view and remove accounts, then:

  • Account Manager is a role,
  • create, modify, view, remove are the operations,
  • accounts are objects
  • create account is one of the permissions associated to the role Account Manager

But my problem is about clients ... They can consult only their accounts.

My problem is: How can we specified this particular account in RBAC? Is it at least possible or must I choose another way of manage access control? And which of them?

Mohicane
  • 302
  • 2
  • 15
  • Possible duplicate of [RBAC - How to implement per instance access control? (DDD)](https://stackoverflow.com/questions/33515483/rbac-how-to-implement-per-instance-access-control-ddd) – Mohicane Jan 12 '18 at 13:12
  • 1
    Use attribute based access control and xacml – David Brossard Jan 12 '18 at 19:39

1 Answers1

0

As mentionned, Attribute based access control may be the good solution. And XACML could be used in an application with complex policies.

Here is a very understandable documentation about ABAC in Spring Security

Mohicane
  • 302
  • 2
  • 15