英文:
ABAC - How to deal with access permissions for elements of collections using GET?
问题
ABAC 处理集合项的权限与处理集合的权限不同。用户可能对集合中的某些项有权限,但对其他项没有权限(例如,用户只能查看低于 10,000 欧元的订单)。
PDP 是否为列表中的每个对象创建单独的请求,还是接受请求列表并返回决策列表?由于 PIP 不知道集合可能会如何过滤,因此只能在获取所有对象之后才能做出访问权限的决定。
返回的集合项可能仅返回选定的字段。因此,PIP 需要发出另一个请求来获取缺失的属性。在获取属性和决定访问权限的过程中,数据可能已经发生了变化。这时的决策基于对象的不同状态。如何预防这种情况发生?
英文:
It is straight forward to check if a user has permission for a GET request on a collection (e.g. /orders), but how does ABAC deal with items of collections? The user may have permission for some items of the collection, but not for others (e.g. the user can only see orders below 10.000 Euro).
Is a separate request to the PDP created for each object in the list or does the PDP accept a list of requests and return a list of decisions? Since the PIP doesn't know how the collection might be filtered, the decision about access permission can only be made after all objects are fetched.
The returned collection items may only return selected fields. The PIP therfore needs to make another request to fetch the missing attributes. During the time the attributes are fetched and the access is decided the data can have changed. The decision is then based on different states of the objects. How is this prevented?
答案1
得分: 1
我在StackOverflow上搜索时找不到答案,但我继续搜索,通过Google找到了一个很好的StackOverflow答案:
英文:
I couldn't find an answer searching on stackoverflow, but I kept searching and found a great stackoverflow answer through google:
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论