Authentication and Authorization in PHP

ROLE-BASED ACCESS CONTROL

Matthew Setter
PHP SECURITY ENGINEER
@settermjd matthewsetter.com
Module Overview
– Learn about Role-based Access Control
– What it is
– How it works
– Its advantages and disadvantages
– How to implement it in PHP
What is Role-based Access Control?
“Role-Based Access Control, or RBAC, provides
web application security administrators with the
ability to determine who can perform what
actions, when, from where, in what order, and in
some cases under what relational
circumstances. In Role-Based Access Control,
access decisions are based on an individual's
roles and responsibilities within the organization
or user base.”
Role-based Access Control - OWASP
“RBAC can be used to facilitate
administration of security in large
organizations with hundreds of
users and thousands of
permissions, such as those in the
Fortune 500 companies.”
Role-based Access Control - Wikipedia
Differences to Access Control Lists

1. Works at the role level

“An access control list could be used for
granting or denying write access to a particular
system file, but it would not dictate how that
file could be changed. However, in an RBAC-
based system, an operation might be to ‘create
a credit account transaction in a financial
application’ or to ‘populate a blood sugar level
test’ record in a medical application.”
Wikipedia
Differences to Access Control Lists

1. Works at the role level

2. Doesn't have the concept of a resource
 network scans remove users
access audits
add users
run reports
update users
search users

change passwords suspend users

check profiles
 A Theoretical Model

Users Roles Permissions

IT change
search suspend
user
users user
password

Security Helpdesk
Manager add update delete
user user user
Jane Michael

Helpdesk
Operator
 A Theoretical Model

IT

change
search suspend
user
users user
password
Security Helpdesk
Manager
Jane Michael
add update delete
user user user

Helpdesk
Operator
 A Theoretical Model

IT
add
user

Security Helpdesk update

Manager user

Jane Michael delete

Helpdesk user
Operator

change
search suspend
user
users user
password
 A Theoretical Model

IT
add
user

Security Helpdesk update

Manager user

Jane Michael delete

Helpdesk user
Operator

change
search suspend
user
users user
password
 A Theoretical Model

IT
add
user

Security Helpdesk update

Manager user
Jane

delete
Helpdesk user
Operator

Michael change
search suspend
user
users user
password
 A Theoretical Model

IT
add
user

Security Helpdesk update

Manager user
Jane

delete
Helpdesk user
Operator

Michael change
search suspend
user
users user
password
 A Theoretical Model

IT
add
user

Security Helpdesk update

Manager user
Jane

delete
Helpdesk user
Operator

Michael change
search suspend
user
users user
password
Quick Recap

– Role-based Access Control essentials

– How RBAC is different to ACL
– Saw a theoretical RBAC model
Up Next:
Advantages and Disadvantages
Advantages and Disadvantages
Advantages

– Roles are assigned based on org structure

– Aligns with security principles
– Easier to use and administer than ACLs
 A Theoretical Model

IT
add
user

Security Helpdesk update

Manager user
Jane

delete
Helpdesk user
Operator

Michael change
search suspend
user
users user
password
Disadvantages

– Users, roles, and permissions need to be

well documented
– Users can acquire too many privileges
How to Mitigate RBACs Disadvantages

Conduct Regular Audits Review Access as

Users Change Roles
Quick Recap

– Advantages and disadvantages

– How to mitigate some disadvantages
Up Next:
Implement Role-based Access Control in PHP
Implement Role-based Access Control in PHP
Module Recap
Module Recap
– Learned about Role-based Access Control
– What it is
– How it works
– Advantages and disadvantages
– How to implement it in PHP
Up Next:
JSON Web Tokens