Rbac class object

An Rbac class object describes an access control model based on types, permissions, roles, and limitations/rules for operations. These parameters are defined in the configuration of the Rbac class object.

Object configuration

An Rbac class object configuration contains the following elements:

• types – list of object types and subject types permitted by the model.

  Example: types: [core, einit, tls, smm, auth, app]

• images – list of images from which the subjects are created.
• permissions – list of permissions permitted by the model (see Permissions).
• roles – list of roles permitted by the model (see Roles).
• create_subject – limitations and rules for the subject creation operation (see Limitations/rules: creating a subject).
• create_object – limitations and rules for the object creation operation (see Limitations/rules: creating an object).
• retype_object – limitations and rules for changing an object type (see Limitations/rules: changing the object type).
• add_roles – limitations and rules for adding roles to a subject (see Limitations/rules: adding roles to a subject).

All configuration parameters are required when creating a class object.

Audit configuration

An Rbac class object does not contain additional fields for an audit configuration.

Example

security.psl

use nk.rbac._

policy object rbac0 : Rbac {

config =

{ types: ["actors", "userland", "obscura"]

, images: []

, permissions:

{ mundane: ["observe"]

, unusual: ["research"]

}

, roles:

{ admin:

{ extends: []

, rights: []

}

, user:

{ extends: []

, rights:

[ { from: ["actors"]

, to: ["userland"]

, permissions: ["mundane/observe"]

}

]

}

, obscurantist:

{ extends: []

, rights:

[ { from: ["actors"]

, to: ["obscura"]

, permissions: ["mundane/observe"]

}

, { from: ["actors"]

, to: ["obscura"]

, permissions: ["unusual/research"]

}

]

}

, hyperadmin:

{ extends: ["user", "admin", "obscurantist"]

, rights: []

}

}

, create_subject:

[ { source_type: ["actors"]

, source_role: ["admin"]

, target_type: ["actors"]

// it might be nice to have @any target_role selector

, target_role: ["user", "obscurantist"]

, target_type_auto: ()

, target_role_auto: []

, image: []

}

, { source_type: ["@any"]

, source_role: ["@any"]

, target_type: ["actors"]

, target_role: ["admin"]

, target_type_auto: ()

, target_role_auto: []

, image: []

}

]

, create_object:

[ { source_type: ["actors"]

, source_role: ["user"]

, target_type: ["userland"]

, target_type_auto: ()

, container_type: ["@any"]

}

, { source_type: ["actors"]

, source_role: ["obscurantist"]

, target_type: ["obscura"]

, target_type_auto: ()

, container_type: ["@any"]

}

]

, retype_object:

[ { source_type: ["actors"]

, source_role: ["admin"]

, target_type: ["userland", "obscura"]

, original_type: ["userland", "obscura"]

, container_type: ["@any"]

}

]

, add_roles:

[ { source_type: ["actors"]

, source_role: ["admin"]

, target_type: ["@source_type"]

, target_role: ["admin", "user", "obscurantist"]

}

]

}

}

Page top