Attribute-Based Access Control in Symfony

How to approach authorisation within your
Symfony or PHP application.
Adam Elsodaney
Attribute-Based Access
Control in Symfony
Symfony UK Meetup 30 August 2018

This
presentation is
split into 4 parts
…maybe 5.

Out-of-the-box
Symfony
SecurityBundle
Access Control
0

There are 2 steps to securing a resource.

Authentication is enforced with Firewalls
Authorisation is enforced with Access Controls

That’s easy!
Path
Role
String, Regular Expression
String, RoleInterface, Hierarchical

Access Control Lists
ACL
Role-Based
Access Control
RBAC
Attribute-Based
Access Control
ABAC
There are many types of access control
paradigms depending on your needs

Implementing RBAC:
Probably the most common variant of authorization is role-based
access control (RBAC). As the name implies,
• Users are assigned roles
• Roles are assigned permissions.
• Users inherit the permission for any roles they have been assigned.
• Actions are validated for permissions.
“
https://martinfowler.com/articles/web-security-basics.html

Bob Associate Editor
USER ROLE
Users have roles

Associate Editor
ROLE
Reject Article
Submission
PERMISSION
Approve Article
Submission
PERMISSION
Roles have permissions

Reject Article
Submission
PERMISSION
Approve Article
Submission
PERMISSION
Users inherit the permissions for
any roles they have been assigned
Bob
USER

Reject Article
Submission
PERMISSION
Approve Article
Submission
PERMISSION
Reject Article
Submission
Leave Feedback
Approve Article
Submission
Actions are validated for
permissions

Bob Associate Editor
USER ROLE
Reject Article
Submission
PERMISSION
Approve Article
Submission
PERMISSION
Reject Article
Submission
Leave Feedback
Approve Article
Submission
Action
Role
Code
String, RoleInterface, Hierarchical
Permission
String

Attribute-Based Access Control in Symfony

Editor-in-Chief
ROLE
Associate Editor
ROLE
Reviewer
ROLE
Author
ROLE
Journal Admin
ROLE
System Admin
ROLE
In some cases,
roles inherit the
permissions from other
roles via a hierarchy…

…and/or permissions
inherit the permissions
from other roles via a
hierarchy.
Reject Article
Submission
PERMISSION
Approve Article
Submission
PERMISSION
Make Decision
on Submission
PERMISSION
Do WTH you want
with submissions
PERMISSION
Leave abusive Linus-
Torvalds-style comments
PERMISSION
Administrate journal
PERMISSION
Like Sylius RBAC

$ composer require sylius/rbac
$ composer require sylius/rbac-bundle
Install for Symfony apps
Install for non-Symfony apps

Consider RBAC When
• Permissions are relatively static.
• Roles in your policies actually map reasonably to roles within your
domain, rather than feeling like contrived aggregations of
permissions.
• There isn't a terribly large number of permutations of permission,
and therefore roles that will have to be maintained.
• You have no compelling reason to use one of the other options.
“
https://martinfowler.com/articles/web-security-basics.html

Shortcomings of RBAC
1. Cannot grant permissions per-resource, only by resource type.
2. Does not scope resource properties.

How to Use Access Control Lists (ACLs):
In complex applications, you will often face the problem that access
decisions cannot only be based on the person (Token) who is
requesting access, but also involve a domain object that access is
being requested for. This is where the ACL system comes in.
“
https://symfony.com/doc/3.4/security/acl.html

ACL
ACE
his hers
ACE
ACE
ACL
ACE ACE
ACE
Access Control Lists (ACL)
First, check if the
domain object requested
has an associated ACL.
Each ACL contains one or
more Access Control
Entries (ACEs)

that deﬁnes speciﬁc

permissions for the ACL’s

resource.

ACL
ACE ACE
ACE
Second, check the
domain as a whole.
ACE
ACLs can be
associated

with both objects
(entities)

and domains
(classnames).

Using the Symfony ACL
1. Install Bundle
$ composer require symfony/acl-bundle
2. Conﬁgure
3. Initialise

acl_entries table
• id
• class
• object identity
• security identity
• ﬁeld name
• ACE order
• mask
• is granting
• granting strategy
• audit success
• audit failure

As the boss of this website
I should be able to edit a particular message posted
In order to moderate the content

As the boss of this website
I should be able to edit
a particular message all messages posted
In order to moderate the content

Alternatives to ACLs
Using [ACLs] isn't trivial, and for simpler use cases, it may be overkill.
If your permission logic could be described by just writing some code
(e.g. to check if a Blog is owned by the current User), then consider
using voters. A voter is passed the object being voted on, which you can
use to make complex decisions and effectively implement your own
ACL. Enforcing authorization (e.g. the isGranted() part) will look
similar to what you see in this article, but your voter class will handle
the logic behind the scenes, instead of the ACL system.
“
https://symfony.com/doc/3.4/security/acl.html

Security Voters provide a mechanism to set up
ﬁne-grained restrictions in Symfony applications.
The main advantage over ACLs is that they are
an order of magnitude easier to set up, conﬁgure
and use.
“
http://symfony.com/blog/new-in-symfony-2-6-simpler-security-voters

In Symfony, an authorisation decision will
always be based on the following:
TOKEN
When a user is authenticated
(identiﬁed) they will receive a
token from the ﬁrewall to hand
over to the access control in the
authorisation step.
We can get the user’s identity
from the token.
SET OF
ATTRIBUTES
Each attribute stands for a
certain right the user
should have.
Eg. Role, Order Number,
Email Address,Time of Day
RESOURCE
Any object for which access
control needs to be checked,
like an article or a comment
object (or a piggy bank
object containing bitcoins)

Voter
1
Voter
2
Voter
3
Voter
4
Voter
5
Voter
6
Contains all voters. Some
might be supported based on

the attributes to vote on.
Access Decision
Manager

Voter
1
Voter
2
Voter
3
Voter
4
Voter
5
Voter
6
PERMIT DENY
Not
Supported PERMIT PERMIT ABSTAIN
Access Decision
Manager

Voter
1
Voter
2
Voter
3
Voter
4
Voter
5
Voter
6
PERMIT DENY
Not
Access Decision
Manager
Afﬁrmative Strategy
grant access as soon as
there is one voter granting
access
PERMIT

Voter
1
Voter
2
Voter
3
Voter
4
Voter
5
Voter
6
PERMIT DENY
Not
Access Decision
Manager
Consensus Strategy
grant access if there are
more voters granting
access than there are
denying
PERMIT

Access Decision
Manager
Unanimous Strategy DENY
grant access only if none
of the voters have denied
access
Voter
1
Voter
2
Voter
3
Voter
4
Voter
5
Voter
6
PERMIT DENY
Not

Built-in Symfony Voters
RoleVoter
RoleHierarchyVoter
All are in the SymfonyComponentSecurityCoreAuthorizationVoter namespace

Built-in Symfony Voters
AuthenticatedVoter
ExpressionVoter

Creating custom voters
First, deﬁne what attributes you want to check.

Second, check if your voter should vote on the
given subject or attributes.

Finally, declare the service and it is ready to use.
In this example, the customer who make a purchase order did so without

creating an account or logging in, but would still need be able to access their

order details on the website.

Shortcomings of Symfony Voters
1. Not necessarily runtime capable - Still requires
writing code for access rules, unless you implement
a Voter that loads its rules from the database.

ABAC
via
XACML*
4
*Pronounced “X-akamull”, “X-A-C-M-L” or “zakamull”

[What is XACML?]
XACML (eXtensible Access Control Markup Language) offers a
standardized way to achieve externalized and dynamic authorization.
This means that authorization decisions are made by an authorization
service at run-time based on policies which determine what actions a
user or service can perform on a given information asset and in a
speciﬁc context.
“
https://www.axiomatics.com/100-pure-xacml/

http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html

XACML Administration
Policy
Data
PAP
• Create, View, Delete policies
• Version policies on Update
• Evaluate policies before committing
Policy Administration Point (PAP)
(Very similar to the IAM in Amazon Web Services)
policy
policy set

XACML Enforcement Flow
Symfony
Authorization
Checker
PDP
XACML
Request
PEP
Context
Data
PIP PRP
Policy
Data
Allow
Deny
XACML
Response
isGranted()
Policy
Enforcement
Point
Policy
Information
Point
Policy
Retrieval
Point
Policy
Decision
Point
time of day
server env
current user
policy
policy set
sky is blue
resource
request
…

PolicySet
Policy PolicySetPolicy
Rule Rule
Rule Rule
Rule Rule
Rule Rule
Policy
Policy
Policy Sets contain a collection
of Policies.
They may also contain or
reference other Policy Sets.
However, the Decision Point
will only evaluate at Policy level.
Rules are never
evaluated by themselves.
XACML 3.0 Policies

Targets and Rules
Part of what [the] XACML PDP [Policy Decision Point] needs to do is find a policy
that applies to a given request. To do this, XACML provides another feature called a
Target.
A Target is basically a set of simplified conditions for the Subject, Resource and Action
that must be met for a PolicySet, Policy or Rule to apply to a given request.
If all the conditions of a Target are met, then its associated PolicySet, Policy, or Rule
applies to the request.
In addition to being a way to check applicability, Target information also provides a
way to index policies, which is useful if you need to store many policies and then
quickly sift through them to find which ones apply.
“
https://www.axiomatics.com/100-pure-xacml/

Policy A
Request
Policy B
Policy C
Policy D
Policy E
Policy F
Policy G
A Request must be matched to a
Policy
This is done using Targets

Policy
Rule
Rule
Rule
Rule
XACML 3.0 Targets
TARGET
Subject
Resource
Action
Policies, Policy Sets
and Rules only apply
if the Target matches.
Policy Set
TARGET
Subject
Resource
Action
Policy Policy
Policy Policy
Rule
Permit
TARGET
Subject
Resource
Action

REQUEST POLICY
Targets consist of Subject, Resource and Action
behaves like Voter::supports() in Symfony
TARGET
Subject: Bob
Resource: CJES Article #3
Action: edit
TARGET
Subject: Bob
Resource: CJES Article
Action: edit
TARGET
Subject: Bob
Resource: CJES Article
Action: create
TARGET
Subject:Alice
Resource: FNAN Article
Action: any

Policy A
Request
Policy B
Policy C
Policy D
Policy E
Policy F
Policy G
More than one policy may be matched

XACML 3.0 Rule Example
* The XACML syntax is more verbose than what you see here.

Understanding XACML
combining algorithms
If a policy contains multiple
rules, and the rules return
different decisions e.g.
Permit and Deny, what should
the policy return? Permit? Deny?
Neither?
“
https://www.axiomatics.com/blog/understanding-xacml-combining-algorithms/
Policy
Rule
Rule
Rule
Rule

XACML 3.0 Rule-Combining
and Policy-Combining Algorithms
deny-overrides
permit-overrides
ﬁrst-applicable
behaves like AccessDecisionManager Strategies in Symfony
only-one-applicable (policy only)
ordered-permit-overrides
deny-unless-permit
permit-unless-deny
ordered-deny-overrides
R1 R2 R3 D
P
D
D
P
P
D

XACML 3.0 Policy Example
* The XACML syntax is more verbose than what you see here.

Conditions

<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal"
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
<EnvironmentAttributeSelector DataType="http://www.w3.org/2001/XMLSchema#time"
AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">09:00:00</AttributeValue>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal"
<EnvironmentAttributeSelector DataType="http://www.w3.org/2001/XMLSchema#time"
AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</AttributeValue>
</Apply>
</Condition>
Allow only logins between 9am and 5pm.

Conditions
<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-
<EnvironmentAttributeSelector DataType="http://www.w3.org/2001/XMLSchema#t
AttributeId="urn:oasis:names:tc:xacml:1.0:en
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">09:00:00</A
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equ
<EnvironmentAttributeSelector DataType="http://www.w3.org/2001/XMLSchema#t
AttributeId="urn:oasis:names:tc:xacml:1.0:en
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</A
</Apply>
</Condition>
Allow only logins between 9am and 5pm.
Apply
Apply
and
Condition

current-time
time-one-
and-only:
time-less-than-or-equal:
17:00:00
Conditions
<Condition f="and">
<Apply f="time-greater-than-or-equal"
<Apply f="time-one-and-only">
<EnvironmentAttributeSelector
DataType="#time"
AttributeId="environment:current-time"/>
</Apply>
<AttributeValue
DataType="#time">09:00:00</AttributeValue>
</Apply>
<Apply f="time-less-than-or-equal"
<Apply f="time-one-and-only">
<EnvironmentAttributeSelector
DataType=“#time"
AttributeId="environment:current-time"/>
</Apply>
<AttributeValue
DataType=#time">17:00:00</AttributeValue>
</Apply>
</Condition>
Condition
current-time
time-one-
and-only:
time-greater-than-or-equal:
* The XACML markup above has been condensed for
brevity
09:00:00
and

current-time
time-one-
and-only:
time-less-than-or-equal:
17:00:00
Conditions
$timeGreaterThanOrEq = function($x, $y): bool {
return $x >= $y;
}
$timeLessThanOrEq = function($x, $y): bool {
return $x <= $y;
}
$timeOneAndOnly = function($x): DateTimeInterface {
return new DateTimeImmutable($x);
}
$condition = Functionaltrue([
$timeGreaterThanOrEq(
$timeOneAndOnly($env->getCurrentTime()), ’09:00:00’
),
$timeLessThanOrEq(
$timeOneAndOnly($env->getCurrentTime()), ’17:00:00’
),
]);
Condition
current-time
time-one-
and-only:
time-greater-than-or-equal:
09:00:00
and

What’s a XACML Obligation?
The XACML standard deﬁnes the concept of obligations which are
elements which can be returned along with a XACML decision (either
of Permit or Deny) in order to enrich that decision. Obligations are
triggered on either Permit or Deny. The Policy Enforcement Point
[PEP] must implement and enforce obligations. If it fails to do so, it
must deny access to the requested resource (in the case of a Permit).
“
https://www.webfarmr.eu/2015/02/tgif-xacml-whats-a-xacml-obligation/

Examples of Obligations
• Auditing - Log when an action was
performed on a resource.
• Security Checkup - Ask the user to review
their 2FA details after a remembered login.
• Security Lockdown - If credentials entered
incorrectly multiple times.
• Break-the-Glass Scenario - Medical
records may need to be accessed in
emergency situations, regardless of what
permissions were granted.

Shortcomings of XACML
• XACML syntax is very verbose.
• Is complex, though it better describes
business requirements than ACL when rules
are persisted.
• Somewhat limited resources, or non-concise.
• Perhaps overkill and Enterprise-y™ …?

and the winner is…
ABAC
using Symfony
Voters3

• Symfony Voters solve 80%
of your requirements for
20% of the work.
SUMMARY
• XACML would solve 100% of your
requirements, would scale well, is
designed for runtime and is
enterprise-capable, but the
learning curve is steep, and there
are no well established tools in
PHP.
• RBAC is not compatible with single
entities.
• ACL is compatible with single
entities, but is non-trivial.

Thank you for listening
Adam Elsodaney
LEAD DEVELOPER
ACL Demo

https://github.com/adamelso/acland

Slides

github.com/adamelso/symfony-uk-meetup-2018-08-30-access-control

adam@veruscript.com
@ArchFizz @Veruscript
www.veruscript.com
Publish high-quality, cost-eﬀective
journals with our publishing services

Attribute-Based Access Control in Symfony

More Related Content

What's hot (20)

Similar to Attribute-Based Access Control in Symfony (20)

Recently uploaded (20)

Attribute-Based Access Control in Symfony