Enhancing Authorization: Harnessing the Power of Partial Evaluation
In today’s security landscape, controlling who has access to information is more important than ever. As systems grow more complex, traditional methods like Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Policy-Based Access Control (PBAC) have their limitations, especially in dynamic environments. This post examines these methods and introduces a flexible and efficient authorization management solution. Integrating advanced techniques with data storage can make systems more dynamic, efficient, and secure. We’ll describe these solutions and how they enhance security systems.
The Main Authorization Models
Traditionally, organizations use several main methods for authorization, all of which have their own limitations:
- Role-Based Access Control (RBAC): Assigns access rights based on predefined roles. This method is suitable for clear role definitions but lacks flexibility for dynamic conditions.
- Attribute-Based Access Control (ABAC): Provides a more granular level of control, basing decisions on user attributes, the resources they’re accessing and the context of access. This flexibility allows for more dynamic access control policies.
- Policy-Based Access Control (PBAC): Takes flexibility a step further by using policies, which can evaluate a broad range of contexts and conditions to make access decisions. This method is incredibly versatile but can be complex to manage and implement. Permission management services like Open Policy Agent (OPA) and Amazon Verified Permissions (AVP) exemplify this versatile approach.
Standard Authorization Constraints
In a standard approach, managing RBAC within a database by using tables to define roles, is indeed a fit. However, as organizations advance towards PBAC, the model’s constraints within the database are limited and do not offer sufficient flexibility to handle dynamic conditions. The need to maintain a rigorous security model and adapt to changes becomes crucial, encompassing policies that dictate who can access what resources and under what circumstances.
Initially, many organizations tend to manage authorization within the same data storage as the business system. However, this method eventually proves to be complex, less efficient, and prone to problems.
The Challenge: Flexibility at the Expense of Efficiency
Managing authorizations in databases for structured data using well-structured columns and indexes is highly efficient and allows for fast query execution due to indices. However, handling complex systems within databases with dynamic authorization conditions, such as user attributes and environmental factors, can lead to inefficiencies.
When using structured columns with indexes, any changes in permissions require updating the (business) schema. For example, if a new condition based on an IP address is added, a new column for src_ip is required.
On the other hand, when we try to manage the dynamic conditions as unstructured data: when performing a single evaluation on a single record, the cost of searching through unstructured data may not be noticeable. However, when evaluating a large dataset, the search time increases proportionally to the number of records, lacking the efficiency of indexed data searches.
A Real-World Example: Dynamic Authorization in an Enterprise System
Let’s take a policy management example: An enterprise system managing access to sensitive documents based on user roles, departments, location, and access time.
Table: user_access_policies
While a query based on indexed static conditions (role and department) typically has a time complexity of O(log N) due to efficient index usage, the time complexity of a query based on non-indexed dynamic data (such as fields within a JSON column) is O(N). The database system needs to scan through each row that matches the indexed static conditions to evaluate the dynamic conditions within the JSON column.
The following graph shows the correlation between flexibility and efficiency when using a relational database for authorization:
As we see, embedding conditions directly into the schema enhances query performance for static conditions due to efficient index usage. However, incorporating dynamic and context-dependent conditions, such as those stored in JSON columns, provides flexibility at the expense of performance. While this approach accommodates complex authorization models, it introduces significant inefficiencies in query execution.
Motivation for Decoupling the Authorization Engine from the Business Logic
In addition to the flexibility issue at the expense of efficiency, there are other reasons to decouple the authorization mechanism from the business schema. They include:
- Achieve flexibility alongside efficiency. We present a solution that provides this in the following sections.
2. Decouple authorization from application logic: Separate the storage used by business and security personas. Each persona requires access to different data. By decoupling these concerns, the security persona can manage permissions without accessing business information, reducing confusion and simplifying their tasks.
3. Reuse components and save development and maintenance time. The system that manages permissions, for example, can be more general when not coupled with the business model. As a result, it can be used by additional systems.
4. Change business logic and the business schema without needing to alter the authorization engine. This includes 2 systems, with each system having its own schema independently from one another.
Policies Authorization Manager
We’ve now described the issues with a system that combines authorization management with business logic. Let’s now move forward to separate the policies authorization manager from the business system so that we have greater flexibility in defining policies.
In an authorization manager, the policies engine defines and enforces rules that govern user access to resources. It establishes policies that specify which users or roles can perform actions based on conditions such as user attributes and contextual factors. The policy engine evaluates these policies in real time to decide whether a requested operation should be authorized or denied.
Standard Policies Evaluation
Through a policy-based authorization management system, we achieved the separation of the business system from authorization management. We also gained flexibility in defining policies, but we lost the efficiency of managing structured data in an indexed relational database.
Streamlining Access: The Role of Partial Evaluation
In the context of authorization, partial evaluation is a technique used to optimize the evaluation of access control policies. It involves pre-computing parts of an authorization policy based on known information and producing a simplified policy that includes only the conditions dependent on unknown information at the time of computation.
The partial evaluation solution separates context-related evaluations to a dedicated engine while handling database-specific evaluations within the database itself. This allows for efficient processing where the database excels, while the separate engine manages the dynamic and context-dependent conditions.
This approach enhances the database-based authorization model by introducing flexibility, making it more suitable for managing complex, context-dependent, and evolving access requirements.
There are ready-made engines for performing partial evaluation, such as OPA or Cedar Engine. Amazon Verified Permissions Service, for example, uses Cedar engine for managing permissions but does not yet include the functionality for partial evaluation. Of course, you can implement this functionality yourself.
A Real-World Example: An Account Management Application
Envision an account management application that allows a company’s teams to access and manage remote servers. Access is regulated according to the user’s role, the time of the access request, and the originating IP address.
Policy 1: Users can manage accounts if their roles match, and only from the company network during working hours.
Policy 2: Users can manage all public accounts during working hours.
Full vs Partial Evaluation Checks
Let’s take Bob as an example, who holds a DevOps position, with roles managed in an account management database. We want to determine: “Which accounts can Bob manage?”
While a full evaluation checks if Bob can manage a specific account like account X, a partial evaluation addresses the broader question: “Which accounts can Bob manage?” It resolves conditions with available information, such as srcIP (source IP Address) and the current time, and returns policies with only the remaining unknown conditions.
Auth_request {
principal: "devops",
actions: ["UPDATE"],
context: {
srcIp: "192.168.1.15",
time: "10:00"
}
}Partial Evaluation Output:
Your resource data can be managed in any type of data storage. Here, we provide an example using a database or Elasticsearch.
Database Queries Using Simplified Policies
Role-Based Update Action:
Public Resource Update Action:
ElasticSearch Queries Using Simplified Policies
Assuming that you have an index named ‘resources’ in ElasticSearch, your queries would look like this:
Partial evaluation first processes context conditions (IP and time). It then returns simplified policies focused on resource attributes (role and public status), which can be directly queried against multiple data storages. This approach efficiently narrows down potential resources Bob can manage, demonstrating the dynamic adaptability and power of partial evaluation in access control scenarios.
A Practical Approach to Dynamic Authorization
We’ve observed the challenges traditional authorization methods face when relying on databases as authorization engines, particularly in dynamic conditions. However, partial evaluation emerges as a solution, enhancing both flexibility and efficiency in access control. By streamlining access processes, it effectively adapts to complex scenarios, ensuring precise data access in modern systems. Policy authorization management that uses the integration of partial evaluation with databases offers a practical approach to effectively address dynamic authorization challenges.
Thank you to Gil Adda for the professional guidance in writing the post and the development that preceded it.
