Previous Content Next
Assign security policy to query privilege Let's talk about non-role privilege

Assign security policy to decision privilege

Ralasafe protects application by controlling access from two directions:

  1. Query information such as customers and bills from system;
  2. Commit data to system such as updating a customer, deleting a bill.

We call the first category privilege, query privilege; the second category privilege, decision privilege.

Ralasafe's decision privilege supports these features:

  1. Return different decison according to the request user;
  2. Retrun different deny reason according to the request user.

See javadoc for details:

  1. org.ralasafe.Ralasafe permit methods;
  2. org.ralasafe.WebRalasafe permit methods;
  3. org.ralasafe.entitle.Decision.

Assign

You can assign more than one policies to a decision privilege. Each policy contains decision, user category, business data and deny reason.

Ralasafe engine evaluates security policies from the beginning to the end. The steps are:

  1. Evaluate the request user been granted to execute this privilege or not, if not, return deny;
  2. Evaluate the first security policy's user category;
    1. If matched, evaluate business data;
      1. If matched, return this policy's decision. If the decison is deny, set this policy's deny reason as deny reason for this request;
      2. If not matched, the next policy will be evaluated;
    2. If not matched, the next policy will be evaluated;
  3. Evaluate the next security policy's user category, if matched, then evaluate business data......
  4. If the request user doesn't match any policy, then return deny, and deny reason is "You are not granted to execute it".

In ralasafe demo, loan money privilege is assigned with these policies:

It means if any request to loan more than 5000$, will be denid; if anyone loans money less then 5000$, and all money loaned in one day is less than 20000$, permit it; else deny it.

Test

When designing work is finished, we can test(simulate) it online immediately. This is a sample of simulation screen:

It contains five parts:

  1. Select user panel: click find button, select a user from pop-up user list window;
  2. Context value panel: this panel is optional, it shows only if policies will ectract data from context;
  3. Business data (javabean) panel: input your mapping class, and set needed properties' value;
  4. Test result panel: once click the green run button, ralasafe engine will evaluate this privilege;
  5. Policy and eval result panel: shows the evaluation result of each policy.
Previous Content Next
Assign security policy to query privilege Let's talk about non-role privilege