Previous	Content	Next
Assign security policy to decision privilege			Keeping application safe

The privileges we talked above are based on Role-Based Access Control(RBAC) model.

Take a look at this picture. It's from ralasafe demo, an employee manager page logged in by John Smith.

Company combox displays different values according to different login user. So it belongs to privilege domain.

But it's not a good advice to do thing like these:

1. for administrator to assign this combox to a role, and then assign this role to users.
2. or for developer links this combox with this page's privilege. If a user has been granted permission to view this page, then this combox is auto granted.

It' too complicated and often makes people confused.

In ralasafe, we call it non-role privilege, because there's no need to evaluate function-level ACL on these little widgets like company combox. Ralasafe cares about fine-grained ACL of them. We can assign security policies to them. Ralasafe supports non-role query privileges and non-role decision privileges which are the same as normal privileges.

In ralasafe demo, we assigned a security policy to it. If someone has privilege to request this page, company combox will show the login user's company.

If your application system has already had a RBAC model and implements, you can also take normal privileges as non-role privileges in ralasafe. Let your system takes responsibility of RBAC ACL (function-level ACL), and ralasafe fine-grained ACL.

	Previous	Content	Next
Assign security policy to decision privilege			Keeping application safe