Authentication and Authorization in PHP: Access Control Lists
Authentication and Authorization in PHP: Access Control Lists
Matthew Setter
PHP SECURITY ENGINEER
@settermjd matthewsetter.com
Module Overview
– Learn about Access Control Lists
– What they are
– How they work
– Their advantages and disadvantages
– How to implement them in PHP
What Are Access Control Lists?
“Access Control Lists refers to the
permissions attached to an object that
specify which users are granted access to
that object and the operations it is allowed
to perform. Each entry in an access control
list specifies the subject and an associated
operation that is permitted to perform.”
Access Control Lists - Techopedia
“Is a means of restricting access to information
based on the identity of users and/or membership
in certain groups. Access decisions are typically
based on the authorizations granted to a user
based on the credentials they presented at the
time of authentication. In most typical DAC
models, the owner of the information or any
resource can change its permissions at their
discretion.”
Discretionary Access Control - OWASP
– Quickly audit user permissions
Access Control – Know what users should not be able to do
List Key – Used for years in computer security
Resources Objects
Rights Operations
Quick ACL Demonstration
Ownership Assertions
Ensure that a resource is owned by a given role
Expression Assertions
Check if a property on a role equates to a property on a resource
Callback Assertions
Use custom logic to determine if a permission should be granted
Module Recap
Module Recap
– Learned about Access Control Lists
– What they are
– How they work
– Advantages and disadvantages
– How to implement them in PHP
Up Next:
Role-based Access Control