Implement instance-based access control in Spring-based SAP Cloud Platform applications
Ever thought about using instance-based authorizations? Maybe your functional authorization checks are not fitting your use case.
Assume you want to protect business objects or data records and the existing roles, scopes, attributes model does not help. Then you might want to use access control lists, which allow to attach permissions to dedicated object instances. These permissions define the operations, such as read, write and publish that can be granted to an identity. An identity can be a user principal or match to a user role/attribute. An Access Control List (ACL) we call a list of permissions attached to a dedicated instance. An instance could be a business object having the type of a procurement order, a leave request or an advertisement. With Spring Security ACL you can control the access to dedicated instances.
The Spring ACL approach can be useful for you when the following criteria applies:
- The instance-based access cannot solely be protected by roles (scopes and attributes), and in addition there is no “static” criteria (like cost center, confidentiality level, …) that could be used as a filter. Then the decision whether a user is authorized for a certain instance can be defined per instance completely free of limitations just by maintaining the ACL.
- If the instance-based access shall change dynamically during the instance lifecycle without the change of an attribute value this can be done by changing the ACL without changing the object itself.
- The instance owner wants to delegate permissions to a dedicated user/substitute without consulting the administrator. For example, during vacation a manager likes to delegate the approvals of leave requests to the dedicated team leads.
- The user’s authorization is related to an object, that does not directly belong to the core domain of your application, like cost-center and is therefore not part of your application persistence. Still ACL entries can reflect this kind of relationships between application instances and foreign domain object as part of the ACL.
- You want to model ACL hierarchies.
- For example, you are a facilitator and you have edit-permissions to some buildings within a location. Furthermore, you should have the same permissions to most of the rooms, that are linked to the buildings.
- Same could be the case for organizational hierarchies, like cost center.
- You like to manage the ACL as part of your application and close to the instances, you want to protect without delegating the task of authorization management to a dedicated user administrator.
Additionally, Spring ACL simplifies the implementation of audit logs and GDPR compliance as all relevant data is stored in central authorization tables.
A short comparison of the Filter Approach with the ACL Approach:
Advantages of the Filter Approach
- Simplicity, and lower development effort as no additional infrastructure is needed.
Advantages of the ACL Approach
- The authorization decision is better understandable as missing authorizations can be clearly identified as such and not just as a reduced result list of an operation that can have different reasons.
- Auditability and effort for logging of the authorization relevant data is much easier as all information is kept in a central place (the ACL tables) and not distributed in application tables that have to care for change log themselves.
- The ACL Approach can be combined with the Filter approach (with the cost of an additional table JOIN).
You can now make use of instance-based access control for your Spring-based SAP Cloud Platform applications.
We have a solution for you. A detailed description with a Sprint Boot 2.0 Demo example can be found on GitHub:
Access Limitation on Instances using Spring ACL
It leverages Spring Security ACL and integrates with SAP Cloud Platform XSUAA service using the SAP Container Security Library (Java), which is available on Maven central.
The example on github also shows how you can make use of user attributes to implement attribute-based access control (ABAC).
The microservice used in the example on github is adapted from the code developed in the openSAP course: Cloud-Native Development with SAP Cloud Platform and runs in the Cloud Foundry environment within SAP Cloud Platform.